Re: Business Admin Permissions
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Tue, 30 Oct 2007 22:25:18 +0000 (UTC)
(cbtechlists@xxxxxxxxx) writes:
I want to create admin (.NET) tool that will allow the business
administrator to do the following without needing help from IT:
* create new server logins that only have access to the myApp
database
* delete user/login accounts from the database/server
* add/delete users from roles in the myApp database
* reset passwords of users in the myApp database only
* enable accounts that have been locked out because their password
expired
How do I allow the business admin to do these things without 'over-
granting' them permissions on the server? I don't want them to be able
to screw with other databases or logins on the box.
Use stored procedures that performs the precise task the admin needs to
do, and then sign the procedures with certificates, and then you create
users/logins from the certificates and grant those users/logins the
privs needed.
I describe this in detail in an article on my web site:
http://www.sommarskog.se/grantperm.html.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- References:
- Business Admin Permissions
- From: cbtechlists
- Business Admin Permissions
- Prev by Date: Re: Roles - Users
- Next by Date: Re: linked server issue
- Previous by thread: Business Admin Permissions
- Next by thread: Best practice for SQL Admins
- Index(es):
Relevant Pages
|
