Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Create Login in SP - limited access and premissions problem


Create Login in SP - limited access and premissions problem

Author
Message
Emil B
Emil B
Mr or Mrs. 500
Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)Mr or Mrs. 500 (555 reputation)

Group: General Forum Members
Points: 555 Visits: 1808
Hi,

i have an example stored procedure

CREATE PROCEDURE [adm].[CreateTestUser]
@Login NVARCHAR(50),
@Password NVARCHAR(50)
AS
DECLARE @SQL NVARCHAR(MAX)

SET @SQL = 'CREATE LOGIN ['+@Login+'] WITH PASSWORD = '''+@Password+''', CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'

EXEC (@SQL)


I'm getting an error 'User does not have permission to perform this action.' even if i add 'WITH EXECUTE AS OWNER'

i want to run this procedure as User 'UserAdmin' which has EXECUTE premissions to schema adm and sys but not to dbo. I don't want my user to have too much access and do only what store procedure lets him to do.

I did try to use impersonate but its not very secure, user can do EXEC('...') AS LOGIN = xxx and have the same access as impersonated login. If i will map him as securityadmin role he will be albe to skip the stored procedure and create users himself with any access.

User is a member of crl_admin role. below how the role was set up

CREATE SCHEMA adm

CREATE ROLE crl_admin

DENY VIEW DEFINITION ON SCHEMA::[dbo] TO [crl_admin];
GRANT VIEW CHANGE TRACKING ON SCHEMA ::[dbo] TO [crl_admin];
DENY SELECT ON SCHEMA ::[dbo] TO [crl_admin];
GRANT SELECT ON SCHEMA ::[sys] TO [crl_admin];
DENY VIEW DEFINITION ON SCHEMA::[sys] TO [crl_admin];
GRANT EXECUTE ON SCHEMA::[adm] TO [crl_admin];
GRANT VIEW CHANGE TRACKING ON SCHEMA ::[adm] TO [crl_admin];



i'm lacking of ideas. Any suggestions?
Jack Corbett
  Jack Corbett
SSChampion
SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)

Group: General Forum Members
Points: 11014 Visits: 14858
Creating a LOGIN requires server-level permissions, so it doesn't really matter what permissions you grant within the database, even a user with dbo/db_owner permission won't be able to create a login.

I'd be inclined to sign the procedure to grant it rights to create a login. You can read some about signing a procedure in these places:

http://sommarskog.se/grantperm.html
http://msdn.microsoft.com/en-us/library/bb283630.aspx



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search