July 22, 2011 at 9:44 am
Hi all
I recently added a new group to SQL and granted it Security Admin server role. I then restored a DB and mapped the database role security admin to the same group for that database.
When a user now tries to add a new user in the database he gets an error stating he doesn't have the right level of permissions to create a new user.
What am I doing wrong?
Thanks
July 22, 2011 at 10:33 am
Kwisatz78 (7/22/2011)
Hi allI then restored a DB and mapped the database role security admin to the same group for that database
How did you do this?
July 22, 2011 at 10:36 am
Look up Server-level Roles and Database-level Roles in Books Online.
If those two topics don't help, let us know.
July 29, 2011 at 3:03 am
Ok - seems like the following is required according to BOL
Requires ALTER ANY LOGIN or ALTER LOGIN permission on the server.
If the CREDENTIAL option is used, also requires ALTER ANY CREDENTIAL permission on the server.
July 29, 2011 at 6:07 am
Take a closer look at the database roles.
July 29, 2011 at 6:57 am
Hi Lynn
Yes I am still unable to create a login even with the Alter Any Login permisson granted at server level. BoL says for db_securtyadmin at the database level the following:
Members of the db_securityadmin fixed database role can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation.
So no mention of creating a login.
I have done a bit further testing and if I remove the db_securityadmin role from server and database level and leave the Alter Any Login permission then I can create a new login.
Viewing 6 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply