Seeking some recommendations on how to handle a SQL account, that will be creating additional SQL accounts in the future…
Scenario:
Our Admin production app connects to SQL using an account called: Admin_Main, as stated in the connection string. When somebody creates a new user in the Admin app and assigns them a Reporting license, a new SQL Account is created on the instance, for the new user. The Admin_Main account is used to create this account.
I, of course, do not want to add more permissions to the Admin_Main account than needed, so my question is;
What are the permissions that I should add to this account, so that it's able to create new SQL Server accounts, but doesn't have Admin permissions on the instance?
Thanks in advance!
Best Answer
You could assign the server role
securityadmin
to the Admin_Main account.The
securityadmin
server role is documented as:Reference: Server-Level Roles (Microsoft | Docs)
Let's give that a try and see how far we can get...
Creating SQL Server Login Admin_Main
We'll create a new SQL Server Login and assign that user the
securityadmin
server role:This is all done with an account that has the
sysadmin
server role and the result is:Login With Admin_Main
You can then open up a new database query window using the Admin_Main SQL Serer Login and the corresponding password. Once you have done that...
Assigning Higher Privileges
...your new user is certainly going to try and increase his/her privileges by adding himself/herself to the
sysadmin
server role:This results in the following:
So the SQL Server Login can't assign himself higher privileges.
Creating a New User (Or: How Far Can I Get?)
Seeing as the Admin_Main is now allowed to create new SQL Server Logins, let's create a new user while still logged in as Admin_Main and add some server level roles. We'll do this in multiple steps to find out when assigning SQL Server roles will fail:
Create Login
Input
Output
Assign securityadmin Role
Input
Output
Assign sysadmin SQL Server Role
Input
Output
Conclusion
You will have to assign the SQL Server role
securityadmin
to the Admin_Main SQL Server Login to allow this account to create new SQL Server Logins and/or Windows Authenticated SQL Server Logins....and you can't assign permissions/privileges to other accounts that your initial accounts doesn't already possess.