We have a manufacturer whose software requires authorization for the master database (only db owner working). Unfortunately, the manufacturer can not tell us why this access to the master database is necessary. Without this permission, the application will not start.
What are your opinions? Have you ever seen such software? We have 200 different applications but this is the first one that needs permanent access
Is there any objection to security?
As an alternative, we can install an SQL Express instance because the database is very small. If access to the master DB from your point of view is not a good idea.
Best Answer
I have seen software that requires a sysadmin server role membership, at least during installation. It might be that the software creates dbo-owned objects in master and db_owner is the easiest way to allow that without resorting to sysadmin role membership. Although it might be possible to provide more granular permissions, application code changes might be needed and one cannot the grant the minimal permissions necessary without knowing specifically what the software does and the vendor would need to support such changes.
A separate instance/machine (including in Azure) can help mitigate security concerns. SQL Server Express might be an option to reduce costs if you can work within the resource limitations but be aware your HA options will be limited.