Necessary Authorities for adding Logins

  • An internal audit has mandated that another group in my company perform the maintenace of server logins and database users. My question is what is the authorities that I need to grant to users in this team. I know that adding/deleting logins is satisifed by granting security admin as a server role. However, to add/delete database users and grant read, write database roles for a login, I found it necessary to grant a user on the team db_owner, db_accessadmin, db_securityadmin db_datareader, and db_datawriter in order that they could grant read, write to other users. I did not want to give that much authority to that team. Am I missing something here?

    Thank You for the help.

    Charles L. Nichols


    Charles L. Nichols

  • I didnt think you needed datareader/write, but I work in an environment small enough that I make all the changes and haven't needed to delegate. If you trust them enough to add users and grant access, don't you have to trust them all the way? Does this policy cover users added to existing NT groups that are authorized access?

    It's more work, but if you truly want to limit it to a subset of tasks, you can build a front end that only lets them do those tasks, inside the app connect with a sql login that uses a password returned from a proc that only those authorized users can execute, something along those lines. This is handy when you need to have inexperienced users doing high level tasks, not sure its a good solution for what you're doing here.

    Andy

    http://www.sqlservercentral.com/columnists/awarren/

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply