We have a folder on a windows server shared to provide access to an important application. When the application is being updated we (DBAs) change the permissions on the share to deny all access to it and then disconnect any files open on the share. After we complete the application update (using a different share to the same files) we re-enable access to the share.
The way we modify the share is using the MS Management Console to remotely connect to the server. Apparently this capability requires administrator access on the server or at least some level of permissions that the Infrastructure team would like to take away.
The question is how can the DBAs handling the application update disable and enable access to the share with as few permissions on the server as possible?
One possibility, although it requires programming, would be to write a system service (running therefore with all required privileges, and set to manual start), and give the rights to a specific group to start and stop this service (this is straightforward, see How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?, you can use for example Service Security Editor or Process Hacker to edit the ACL).
The users would not need any privilege at all: the service would do the required disconnections/share changes upon start, and revert to the normal configuration on stop. When your application has to be updated, the user doing this would only have to start the service before the update, and stop it afterwards. By the way, this kind of solution is used by some software, e.g., to allow everybody to update it (see for example the Mozilla Maintenance Service).
You could set the share permissions to an Active Directory group, then have the infrastructure team give you delegation privileges to that group. When you need to deny access, simply edit the group membership. When you're done, restore the group membership.
This solution doesn't require having any administrative access, and is much faster than editing the share permission each time.
You could:
D:\additionalFolder\yourfolder, shareadditionalFolderfor the DBA team, andyourfolderas the current share.A option we are considering is to have the activity performed by scheduled task and then use an event of some sort to trigger the scheduled task to run. The problem with this solution is that we don't know of a way to send an event that can cause the trigger to fire without giving permissions that are more broad than they need to be.