我有以下情况:我的用户以没有权限的用户身份连接到 SQL Server,然后他授权应用程序角色。是否可以配置应用程序角色以允许他在已通过身份验证时添加 MSSQL 登录名和数据库用户?
问问题
127 次
1 回答
1
The short answer seems to be no for the logins, at least without setting a trace flag. According to the documentation:
In SQL Server, application roles cannot access server-level metadata because they are not associated with a server-level principal. To disable this restriction and thereby allow application roles to access server-level metadata, set the global flag 4616
I'm not sure why you want to use an application role here anyway: if you trust people enough to let them manage SQL Server security then you might as well just give them securityadmin permissions directly.
It's common practice for trusted administrators to have two Windows or SQL Server logins, e.g. SomeUser and SomeUserAdmin. Only the admin account has permissions to manage security, so they can do most of their work with a normal account without special privileges, and use their admin account only when necessary.
于 2012-12-18T16:15:13.533 回答