0

I have a database role named app_user with select, update, insert and delete rights on all tables except 2. On this 2 tables app_user role has only select right.

But, some users have right to create database users (using create login, sp_adduser, sp_addrolemember). To be able to execute this procedures they must have sysadmin server role. In this case sysadmin role is over database role app_user and they can update this 2 tables. Currently, I'm giving them securityadmin role but they can execute only create login while creating db users.

To summarize, I want to protect updating 2 tables for all users except my sysadmin account, and I want some users to be able to create database users (my app executes sp which grant db permission for that kind of users).

4

1 回答 1

0

您可能会在 DBA 站点上得到更好的答案,但看起来您希望允许用户执行 3 个命令:CREATE LOGINCREATE USERsp_addrolemember因为ALTER ROLE无法将成员添加到 SQL Server 2008 中的角色)。

根据文档,所需的最低权限是:

  • CREATE LOGIN-ALTER (ANY) LOGIN
  • CREATE USER-ALTER ANY USER
  • sp_addrolemember-ALTER角色权限

因此,如果您授予他们上面列出的权限,他们不应该需要任何一个sysadmin或权限。db_owner

于 2013-03-21T16:39:16.363 回答