as a follow-up regarding our tweets and to share this information to other users as well (maybe they´re having an idea):
If we have a user who has only the right GRANT ALTER ANY LOGIN, then this user
is able to create a new login but cannot assign this new user to the sysadmin server role.
However, a user with GRANT ALTER ANY LOGIN can drop a user, which is member of the sysadmin server role, although just removing the user from that role doesn´t work.
In my case this is still too much power.
For example: I try to give a user the permission to check if the server-side accounts are properly mapped to database users and in case there´s a missing mapping to a database user, allow him to map the login.
May you never suffer the sentiment of spending a day without any purpose.
@DirkHondong on Twitter