Re: SQL 2005 ALTER ANY LOGIN trouble
- From: "Laurentiu Cristofor [MSFT]" <Laurentiu.Cristofor@xxxxxxxxxx>
- Date: Fri, 12 Jan 2007 17:31:47 -0800
There are two types of principals in SQL Server - logins (server wide
principals) and users (database specific principals). Logins are used to
gain access to the server and can hold server level permissions. When you
connect to a specific database, your login will be mapped to a user. Users
can hold database specific permissions. At any point in time, what you can
do is determined by your login and user context.
When you impersonate a user, you only get the database context - no server
permissions will be available to that impersonated context. No errors are
given, because this isn't an error scenario - you just don't have
permissions under that specific context that you set up.
You can find more about EXECUTE AS and execution context from the
"Understanding Execution Context" article:
http://msdn2.microsoft.com/en-us/library/ms187096.aspx.
There is an execution context presentation I made that you might find
helpful at: http://cmcgc.com/Media/WMP/261115/. There are other security
presentations there as well.
Thanks
--
Laurentiu Cristofor [MSFT]
Software Development Engineer
SQL Server Engine
http://blogs.msdn.com/lcris/
This posting is provided "AS IS" with no warranties, and confers no rights.
"Ol Boldyrev" <olboldie@xxxxxxxxx> wrote in message
news:uaJhcYlNHHA.4720@xxxxxxxxxxxxxxxxxxxxxxx
Thank you, Erland, for your response!
That was my blunder indeed. Using 'as user' instead of 'as login'. (one
would expect an exception though, something about a missing user..)
It works OK with domain accounts, too.
Oleg
"Erland Sommarskog" <esquel@xxxxxxxxxxxxx> wrote in message
news:Xns98B63A1E1674Yazorman@xxxxxxxxxxxx
Ol Boldyrev (olboldie@xxxxxxxxx) writes:
That's what I'm doing:
1.
grant alter ANY login to [Domain\User]
which executes successfully. Then strange things begin to happen, .
And you were in master when you did this?
Was Domain\User added explicitly as login prior to this, or did it
have implicit access through a group?
For what it's worth, I was successful with this:
create login alteranylogin with password='cccccc'
grant alter any login to alteranylogin
execute as login = 'alteranylogin'
create login alteranylogin2 with password='cccccc'
revert
But this was an SQL login. Running on my home machine, it is somewhat
difficult to test with domain users.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- References:
- SQL 2005 ALTER ANY LOGIN trouble
- From: Ol Boldyrev
- Re: SQL 2005 ALTER ANY LOGIN trouble
- From: Erland Sommarskog
- Re: SQL 2005 ALTER ANY LOGIN trouble
- From: Ol Boldyrev
- SQL 2005 ALTER ANY LOGIN trouble
- Prev by Date: Re: SQL 2005 ALTER ANY LOGIN trouble
- Next by Date: Re: Error 15401 windows NT user or group not found+sql 2000
- Previous by thread: Re: SQL 2005 ALTER ANY LOGIN trouble
- Next by thread: Error 15401 windows NT user or group not found+sql 2000
- Index(es):
Relevant Pages
|
