November 10, 2016 by Kenneth Fisher
First I guess we had best start with definitions right? The permission Administer Bulk Operations and the role bulkadmin are required (one or the other) to perform bulk imports. Nothing more, nothing less. There is a really nice comparison of the two here.
So as with all permissions we only grant them if there is an actual need right? And the best practice of least privilege says that if someone has to be able to do a bulk load on a table then we should grant the bulk load to that one table right? There’s the rub. Bulk admin permissions are at the instance level and are not granular in any way. Ie you can’t grant it specifically to a single database or table. It’s all or nothing.
Now at first glance that seems like a real problem. But if you think about it for a bit longer it’s really not such a big deal. In order to perform a bulk import you actually have to have three permissions (at minimum).
- CONNECT – Have to get into the database in the first place right?
- INSERT – Yes, you actually have to have permission to put data into the table in order to do a bulk insert, just like a regular insert.
- ADMINISTER BULK OPERATIONS – Last and in my opinion least.
So in my opinion it’s pretty harmless. You have to already be able to connect to the database and insert data into the table for this to have any effect. I wouldn’t grant anything unless there’s a specific need, but once there is one I wouldn’t be overly cautious about granting this one.