Database Management Account (DMSA)

A domain database management account is available for customers that want to separate database run-time application operations from the database management and maintenance operations that require SQL SysAdmin rights. This enhances the security options available for customers by reducing privileges when accessing the SQL Server.

Customers can select whether to use a single management service account for all application and database activities, or to introduce the database management account in addition to the management service account.

When you implement the database management account, database permissions are assigned as follows:

Management Service Account (MSA) permissions are reduced to the minimal SQL rights required for run-time application operations. MSA does not require SQL SysAdmin rights.
Database Management Account (DMSA) permissions include all database installation, maintenance and configuration operations. DMSA is also responsible for database upgrade, migration and patch installation.

DMSA is a member of the SQL SysAdmin role during these scenarios and the SysAdmin privileges can be revoked following system configuration.

Database account permissions are validated by the Server Readiness Validation Tool, and by the hardware validation during system installation.

All site preparation tasks: Technology, Security, and Networking Deployment Reference Guide.
All Database permission tasks: This guide
All post-system configuration tasks: Enterprise Manager Configuration and Administration Guide