Is there any way to execute sp_addlogin stored procedure to
create a new sql server login from a login account who has minimum
privileges on database. (He is not a member of either sy
min or securityadmin).
My problem is I need to create new sql server login from code
from my application. At runtime the DBA may not willing to give a login with
sy
min for my application use. So I am looking for an alternative toexecute sp_addlogin procedure with minimum privileged account.
Please help me.
VenkatWhat about use a role for from code?
"venkat" wrote:
> Hi,
>
> Is there any way to execute sp_addlogin stored procedure to
> create a new sql server login from a login account who has minimum
> privileges on database. (He is not a member of either sy
min or security> admin).
>
> My problem is I need to create new sql server login from code
> from my application. At runtime the DBA may not willing to give a login wi
th
> sy
min for my application use. So I am looking for an alternative to> execute sp_addlogin procedure with minimum privileged account.
>
> Please help me.
>
> --
> Venkat
>
>|||Actually my application is a multi user application. So if a new user
account need to be created then the corresponding database access also be
created. So in this case the logged in user (Administrator defined in
application) has permission to create new user. So my point is if we want to
create a new sql server login the logged in user (in this case
administrator) must be member of sy
min and securityadmin. But at thedeployment side we are facing problem as there are no permissions on db.
(Means not a member of sy
min). So I am looking for an alternative to comeout of this problem by using any stored procedures which can be run by a
normal user.
"Enric" <Enric@.discussions.microsoft.com> wrote in message
news:744BCE5E-5968-4FC6-9BE8-5710F70C50FE@.microsoft.com...
> What about use a role for from code?
> "venkat" wrote:
>|||In SQL Server 2005, you have additional options except sy
min or securityadmin. Are you on 2005?
If no, you need to be either sy
min or securityadmin. Only way around thatwould be to create your
own version of the sp_addlogin stored procedure (see the source code for tha
t procedure and you will
see that it checks against securityadmin).
Tibor Karaszi, SQL Server MVP
http://www.karaszi.com/sqlserver/default.asp
http://www.solidqualitylearning.com/
Blog: http://solidqualitylearning.com/blogs/tibor/
"venkat" <tammana@.inooga.com> wrote in message news:e6$%23j05DGHA.2036@.TK2MSFTNGP14.phx.gbl
..
> Actually my application is a multi user application. So if a new user acco
unt need to be created
> then the corresponding database access also be created. So in this case th
e logged in user
> (Administrator defined in application) has permission to create new user.
So my point is if we
> want to create a new sql server login the logged in user (in this case adm
inistrator) must be
> member of sy
min and securityadmin. But at the deployment side we are facing problem as there
> are no permissions on db. (Means not a member of sy
min). So I am looking for an alternative to
> come out of this problem by using any stored procedures which can be run b
y a normal user.
> "Enric" <Enric@.discussions.microsoft.com> wrote in message
> news:744BCE5E-5968-4FC6-9BE8-5710F70C50FE@.microsoft.com...
>|||venkat (tammana@.inooga.com) writes:
> Is there any way to execute sp_addlogin stored procedure to
> create a new sql server login from a login account who has minimum
> privileges on database. (He is not a member of either sy
min or security> admin).
>
> My problem is I need to create new sql server login from code
> from my application. At runtime the DBA may not willing to give a login
> with sy
min for my application use. So I am looking for an alternative> to execute sp_addlogin procedure with minimum privileged account.
Assuming that you are on SQL 2000, the one way I can think of is
application role. (SQL 20005 has more options). You would in that
case only use the application role for this particular task, and this
application role must exist in master. I have not tested that this
actually works, though.
I will have to say that I am not sure that this sounds like a very good
idea. Anyone who adds logins, should probably have explicit access to
do so, as this is a quite serious thing to do. This is paricularly
important if the application is to run a server together with many
other applications. I don't think a DBA would accept an application
whihc permitted users to create logins on his server.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx
No comments:
Post a Comment