All Jnr DBA to Create Logins without using the sysadm / securityadmin role

  • Hi all,

    I'm looking at a way of allowing a Jnr DBA user to create sql logins and then map those logins to users to what could be one or many databases. Ideally i want to do this without giving them sysadmin rights.

    If i grant them the server level permission ALTER ANY LOGIN then they are able to create the login but not able to then map the login to a database. I think if i give the Jnr DBA user the ALTER USER permission then this would work but as this is a database level permission i didnt really wont to do this on every database.

    Any ideas would be much appriciated.

    Many thanks

    Frant

  • Looks to me that you may need to write a procedure that is granted the necessary privileges to accomplish this task for the Jr DBA's based on information they pass to the stored procedure.

    May I ask why you restrict the rights of the Junior DBA? To me a DBA is a DBA and needs the rights necessary to do the job and tasks assigned.

  • In this case i'm just using Jnr DBA as a title maybe i should have said co-worker. Currently the login creation task would be the only sql function they would be doing. Hence why i was reluctant to give them sysadmin rights

    Thanks

    frant101

  • I stick with my original suggestion, write a stored procedure that does the work with elevated permissions based on data passed into the procedure and give your co-worker execute permission to that stored procedure.

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply