We’ve just set up a new SQL Managed Instance on Azure, and have restored a database to it for testing. After running an initial Azure Vulnerability Assessment, the results include this:
VA2108 – Minimal set of principals should be members of fixed high
impact database roles
Fixed database roles may have administrative
permissions on the system. Following the principle of least privilege,
it is important to minimize membership in fixed database roles and
keep a baseline of these memberships.
Remediation – Remove members who should not have access to the database role
ALTER ROLE (db_owner) DROP MEMBER (dbo)
I don’t want to ignore this if its a real concern, but am worried about inadvertantly damaging something due to a lack of experience. There are many web sites showing how to ‘fix’ the error, but each is based on its own scenario.
Within SQLMI we have the following logins:
- SqlMiAdmin (the Azure-created user account that owns the instance)
- DbUser1 – See below
Within the database itself we have the following users:
- DbUser1 – Mapped to the above login for CRUD operations via stored procedures only
- dbo – not used (directly, AFAIK)
The owner of the database (in Properties) is shown as
SqlMiAdmin. Any schema changes and database updates are performed by me using
I’m unsure about how to tackle VA2108 and it’s implications in doing so. If the
dbo user isn’t used in the database then I figured I’d try following the Azure recommendation, but it fails:
ALTER ROLE (db_owner) DROP MEMBER (dbo) -- Cannot use the special principal 'dbo'.
Can anyone please recommend an appropriate course of action?