Why does the software vendor ask for the database server administrator password?

In most cases, for convenience during development and maintenance. A well-designed application does not need sysadmin privileges: specific permissions on its own database are sufficient. Those who ask for "sa" do so because it is easier, not because it is necessary.

What does my company risk if multiple vendors have sysadmin access to the database server?

The main risks are: every vendor can access data from all other applications (ERP, payroll, CRM), there is no reliable audit trail because everything appears as "sa", in the event of a data breach you cannot demonstrate who had access to what, and GDPR liability falls entirely on the company as the data controller.

How do you regain control of the database server without disrupting business applications?

It starts with an access audit: who has access, with what privileges, and why. Then sysadmin accounts are replaced with granular, application-specific permissions. The business application continues to work exactly as before, but each vendor can only see its own database.

Does NIS2 apply to database server access management?

Yes. The NIS2 Directive explicitly requires supply chain risk management, which includes controlling what IT vendors do on corporate systems. A database server with ungoverned access is a critical finding in any NIS2 or ISO 27001 audit.

What happens to backups when multiple overlapping tools are in place?

Nobody knows which backup is valid. Different tools with different retention policies write copies to different locations, storage fills up, and the msdb database accumulates thousands of records. In a disaster scenario, recovery time increases because you first need to figure out which backup to use.

Corporate database server: who has the keys to your data?

All news

11 April 2026·Database ServerIT GovernanceCybersecurityGDPRNIS2

Vendors with sysadminAverage 3-5

Overlapping backup tools2-4 per server

GDPR liability100% on the company

The problem: everyone has access, nobody has governance

The database server is the company's vault: it holds invoices, customer records, employee data and financial information. Yet in most SMEs, it is the least controlled system.

The pattern is always the same. The ERP software vendor asks for the administrator password — “otherwise it won't work.” The company agrees because it lacks the expertise to challenge the claim. Then comes the payroll vendor, the CRM vendor, a consultant called in for an emergency. Each installs their own tools, creates their own backups, schedules their own jobs. Nobody documents. Nobody coordinates.

The result is a server effectively administered by 3–5 different parties, each with full administrator privileges, with nobody holding the complete picture.

Why “we need sa” is almost always false

A well-designed business application needs specific permissions on its own database: a db_owner role on its DB and, at most, a few targeted permissions such as BACKUP DATABASE or VIEW SERVER STATE.

It never needs instance-level sysadmin. Those who ask for it do so out of development convenience, because they don't know which permissions are actually required, or because they want direct production access for troubleshooting. None of these are acceptable from a security standpoint.

The real risks for your business

When multiple vendors have sysadmin access to the same server, the consequences are serious:

Every vendor can see everyone else's data— the ERP vendor can read payroll data, and vice versa. No segregation whatsoever.
No reliable audit trail — if everyone uses the same sa account, you cannot tell who did what. In the event of an incident, reconstructing the chain of events is impossible.
Credentials scattered everywhere— passwords in configuration files, in plain text or with weak encryption, on machines belonging to external technicians you don't control.
Overlapping backup tools— each vendor leaves their own: Maintenance Plans, third-party scripts, proprietary agents. In the end, nobody knows which backup is valid in a disaster scenario.
Expanded attack surface— every installed tool is code running with elevated privileges. Every unpatched tool is a vulnerability. Every abandoned tool is a vulnerability that nobody fixes.

Liability falls on leadership, not on the software vendor

This is the point many business owners miss. The GDPR is clear: the data controller is the company. The software vendor is a data processor acting under the company's instructions. If those instructions don't exist and everyone does as they please, in the event of a data protection authority inspection or a data breach, liability falls on the company.

The software vendor's contract states that “the client is responsible for the infrastructure.” The company thought “the vendor takes care of it.” Nobody was taking care of it.

With the NIS2 Directive, supply chain risk management becomes a legal obligation: knowing and controlling what your vendors do on your systems is no longer a best practice — it is the law for organisations within scope.

The solution: a single point of accountability mandated by leadership

The first step is organisational, not technical. Leadership must appoint a single point of accountability for the database infrastructure — internal or external — and communicate to all vendors that every intervention on the server goes through that contact.

1Access audit— map who has access to the server, with what privileges and why. Forgotten accounts, service accounts with non-expiring passwords and abandoned tools still running are common findings.
2Principle of least privilege — replace sysadmin accounts with granular permissions. Each application accesses only its own database, with the minimum permissions required.
3A single, documented backup system — remove overlapping tools and implement a backup and disaster recovery strategy with clear retention policies, regular restore tests and documentation.
4Vendor governance— every software vendor operating on the server works under the supervision of the designated contact, with dedicated, tracked and revocable credentials.

A certified partner to regain control

AtWorkStudio has been operating from Piacenza since 2000. We hold ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, with ACN qualification for cloud services. We are members of Clusit (Italian Association for Information Security) and affiliated with Confindustria Piacenza in the RICT cluster.

We act as intermediaries between the company and its software vendors: we manage the database server, assign the correct permissions, implement a single documented backup system, and ensure every intervention is tracked and compliant. Leadership gets a single point of accountability for data security.

Sources

Italian Data Protection Authority — Guidelines on data controller and data processor
Directive (EU) 2022/2555 (NIS2) — Articles 21 and 23, risk management and supply chain
Clusit Report 2026 — Data on cyber attacks against Italian SMEs
Microsoft — SQL Server security best practices: least privilege and separation of duties

Learn more

Cybersecurity Services Backup and Disaster Recovery IT Consulting NIS2 Directive Certifications Support and Operations

Frequently asked questions

Common questions about database server access management in SMEs.

Regain control of your database server

Start with an access audit: we map who has access, with what privileges and why. Then we define the path to securing your system together.

Request an audit IT consulting

Corporate database server:who has the keys to your data?