Permission to grant access to database

• Robin35

  SSCertifiable

  Points: 6471

  More actions

  February 14, 2017 at 7:28 am

  #401616

  Hi,

  I hae a project to automatically assign permissions to users if there is any database release. I would like to add the account to the application and this account should have permissions to grant other users data_reader, data_writer,ddlAdmin or db_owner permissions on individual databases. I was wondering what permissions this account should have to grant other users permissions to databases ?

  Please let me know if you need more details.

  Thanks in advance

• Thom A

  SSC Guru

  Points: 99009

  More actions

  February 14, 2017 at 8:55 am

  #1928392

  Didn't you ask that question here? https://qa.sqlservercentral.com/Forums/1841691/User-permission-to-grant-access

  You have answers to that question there already, what's wrong with those? If you have further questions, you should reply to your existing topic, rather than start a new one.

  Thom~

  Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
  Larnu.uk

• Robin35

  SSCertifiable

  Points: 6471

  More actions

  February 14, 2017 at 9:45 am

  #1928408

  Thom A - Tuesday, February 14, 2017 8:55 AM

  Didn't you ask that question here? https://qa.sqlservercentral.com/Forums/1841691/User-permission-to-grant-access

  You have answers to that question there already, what's wrong with those? If you have further questions, you should reply to your existing topic, rather than start a new one.

  Sorry. I lost track of it and also answers in that thread assigning db_securityadmin is unable to grant db_owner permissions on databases. do you want me to close this and continue other thread ?

• Thom A

  SSC Guru

  Points: 99009

  More actions

  February 14, 2017 at 10:41 am

  #1928427

  Robin35 - Tuesday, February 14, 2017 9:45 AM

  Thom A - Tuesday, February 14, 2017 8:55 AM

  Didn't you ask that question here? https://qa.sqlservercentral.com/Forums/1841691/User-permission-to-grant-access

  You have answers to that question there already, what's wrong with those? If you have further questions, you should reply to your existing topic, rather than start a new one.

  Sorry. I lost track of it and also answers in that thread assigning db_securityadmin is unable to grant db_owner permissions on databases. do you want me to close this and continue other thread ?

  The only users who can assign the db_owner role is a user who is db_owner. And a db_owner can do what ever they like in that database.

  Thom~

  Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
  Larnu.uk

• Perry Whittle

  SSC Guru

  Points: 233792

  More actions

  February 14, 2017 at 10:47 am

  #1928430

  Robin35 - Tuesday, February 14, 2017 9:45 AM

  Thom A - Tuesday, February 14, 2017 8:55 AM

  Didn't you ask that question here? https://qa.sqlservercentral.com/Forums/1841691/User-permission-to-grant-access

  You have answers to that question there already, what's wrong with those? If you have further questions, you should reply to your existing topic, rather than start a new one.

  Sorry. I lost track of it and also answers in that thread assigning db_securityadmin is unable to grant db_owner permissions on databases. do you want me to close this and continue other thread ?

  providing grant with grant to these permissions is a massive security risk, do you absolutely trust these accounts is the first question?

  -----------------------------------------------------------------------------------------------------------

  "Ya can't make an omelette without breaking just a few eggs" 😉

• Eric M Russell

  SSC Guru

  Points: 125255

  More actions

  February 14, 2017 at 11:41 am

  #1928446

  What you're describing is essentially a proxy account with sysadmin membership. Only the DBA should have credentials for this. What's more concerning is granting user accounts db_owner membership in a production environment. Users should only own databases in development.

  "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

• Robin35

  SSCertifiable

  Points: 6471

  More actions

  February 14, 2017 at 12:37 pm

  #1928468

  Thom A - Tuesday, February 14, 2017 8:55 AM

  Didn't you ask that question here? https://qa.sqlservercentral.com/Forums/1841691/User-permission-to-grant-access

  You have answers to that question there already, what's wrong with those? If you have further questions, you should reply to your existing topic, rather than start a new one.

  Sorry. I lost track of it and also answers in that thread assigning db_securityadmin is unable to grant db_owner permissions on databases. do you want me to close this and continue other thread ? 

  ok thanks everyone. We maintain and own the account, so password for this account is stored securely. We only grant dbo permissions when there is a release, once the release is complete we will revoke it from application based on the release duration provided by the application team. Whole purpose of this project is to automate the permission grating stuff.