Home Forums SQL Server 2014 Administration - SQL Server 2014 Create User without ALTER ANY USER RE: Create User without ALTER ANY USER

  • May 6, 2016 at 10:54 am

    #1877207

    remember there is a difference between a LOGIN and a USER.

    nothing gets any rights unless you add them to a group or role that gives them permissions.

    so, never add a LOGIN as sysadmin, and they can never add anyone else as sysadmin either.

    in a specific database, anyone in the db_owner role can create a USER for that specific database, but not do anything to their logins (assuming you did not give them sysadmin)

    scripting wise, here's an example or two.

    --create our normal user

    CREATE LOGIN [ClarkKent] WITH PASSWORD=N'NotTh3ARealPassword',

    DEFAULT_DATABASE=[master], CHECK_EXPIRATION=ON, CHECK_POLICY=ON;

    GO

    USE [SandBox]

    GO

    CREATE USER ClarkKent For Login ClarkKent;

    GO

    ALTER USER ClarkKent with DEFAULT_SCHEMA = 'dbo'

    EXECUTE AS User='ClarkKent'

    select * from sys.objects --cannot see anything, nothing granted to him so far

    REVERT; --change back to the superuser

    EXEC sp_addrolemember 'db_datareader','ClarkKent ';

    EXECUTE AS User='ClarkKent'

    select * from sys.objects --can NOW see all the tables and views and query them

    REVERT; --change back to the superuser

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!