GRANT CREATE/ALTER/DROP logins and users for users

Question

Post reply

GRANT CREATE/ALTER/DROP logins and users for users

ratloser99 36160

SSC-Addicted

Points: 430
More actions
June 21, 2016 at 3:29 am

#317293

Some of our keyusers should get permision to CREATE, ALTER and DROP logins and users for specified databases.
I tried
GRANT EXECUTE ON [sys].sp_addlogin TO [keyusers]
GRANT EXECUTE ON [sys].sp_droplogin TO [keyusers]
GRANT EXECUTE ON [sys].sp_adduser TO [keyusers]
GRANT EXECUTE ON [sys].sp_dropuser TO [keyusers]
but the users get an error message:
"User does not have permission to perform this action. (Microsoft SQL Server, Error: 15247)"
I only want to give them permissions for some databases, not for all. Which permissions do the keyuser need and which statements do I have to use?
Thank you!

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

kreuzer Ten Centuries Points: 1246 More actions · Answer 1

Hi,

the user which will performe this action, is this a SA user, or has this user the required rights:

"ALTER ANY LOGIN"

Kind regards,

Andreas

Satish S Mr or Mrs. 500 Points: 580 More actions · Answer 2

Hi,

I believe you gave different DB or they may be using different DB. Check it..

Perry Whittle SSC Guru Points: 233836 More actions · Answer 3

ratloser99 36160 (6/21/2016)
Some of our keyusers should get permision to CREATE, ALTER and DROP logins and users for specified databases.
I tried
GRANT EXECUTE ON [sys].sp_addlogin TO [keyusers]
GRANT EXECUTE ON [sys].sp_droplogin TO [keyusers]
GRANT EXECUTE ON [sys].sp_adduser TO [keyusers]
GRANT EXECUTE ON [sys].sp_dropuser TO [keyusers]
but the users get an error message:
"User does not have permission to perform this action. (Microsoft SQL Server, Error: 15247)"
I only want to give them permissions for some databases, not for all. Which permissions do the keyuser need and which statements do I have to use?
Thank you!

Grant the users membership of the server role "securityadmin", this will allow them to create and drop logins. The users will also need ownership level of any database they wish to map the logins into.

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" 😉

ratloser99 36160 SSC-Addicted Points: 430 More actions · Answer 4

thank you for your reply. It seems to be a good idea to give them these permissions. I will do so. 🙂

Perry Whittle SSC Guru Points: 233836 More actions · Answer 5

ratloser99 36160 (6/23/2016)
thank you for your reply. It seems to be a good idea to give them these permissions. I will do so. 🙂

Well, actually it's not. Do they really need to be able to do this or should an administrator do this?

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" 😉