Post reply

securityadmin role for you super gurus

  • March 4, 2005 at 10:57 am

    #86991

    Can someone tell me what permissions are given to the securityadmin fixed server role.  Specifically, what can a user with this role do and not do?

    Is there another way to grant someone to rights to manage security logins w/out the securityadmin role?

    We are working with Commerce Server and it requires users to have the adminstrator role, and being the disciplined DBA's that we are, we don't want them to have this godly like power.  So we are trying to minimize the privileges.   Anyone been through a similar situation? 

     

    I wish I had more questions

     

    Jeff


    "Keep Your Stick On the Ice" ..Red Green

  • March 4, 2005 at 1:23 pm

    #545570

    the following procedures require securityadmin at least

    sp_password

    sp_sqlagent_msx_account

    sp_revokelogin

    sp_remoteoption

    sp_defaultlanguage

    sp_helplogins

    sp_grantlogin

    sp_dropremotelogin

    sp_droplinkedsrvlogin

    sp_denylogin

    sp_addlinkedsrvlogin

    sp_defaultdb

    sp_droplogin

    sp_addlogin

    sp_validatelogins

    sp_addremotelogin

    the following statements also

     

    GRANT ALL

    GRANT CREATE DATABASE

    Therefore you could either grant permissions to an special login (which I don't recommend) or The logins part of the app is handled only by DBA (which is the way I would persued )

    HTH

     


    * Noel

  • March 4, 2005 at 2:59 pm

    #545587

    I've had this problem with a number of third-party applications over the years.  Generally it's because they expect their product to be the only database on your server and they have developed database administration functionality into their application.  They also tend to do this kind of thing when their install tries to create the database.  I have also seen situations where the application is trying to add logins.  And in one situation they said they needed sa because the didn't want to have to change their SQL Scripts to include the dbo preface!  Stupid reasons all.

    I am proud to state that I have never allowed the application to have sa rights.  They tend to hate it, but talk to the vendor and find out exactly what their application does that needs those rights.  Then you can do it yourself.  In most cases it's just a matter of running their scripts, but by not allowing them to run automatically it gives you a chance to go over them to be sure they aren't doing something stupid.

    /*****************

    If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek

    *****************/

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply