I am a server securityAdmin.
The securityAdmin role should be treated as equivalent to the sysadmin role, according to Microsoft, but I failed to do below 2 things
- make myself as sysAdmin
- grant myself write right to a database. (currently in db_denydatawriter role )
Did I miss anything?
Thanks
UPDATE
per RDFozz's comment, I was able to add a new 'dummy' login, but failed to set this login as a user of this database.
UPDATE 2 — final script that works!
sepupic's answer is great! following his instruction, here is the SQL.
first, use myLogin to create a new super_user.
CREATE LOGIN [super_login] WITH PASSWORD=N'yourPassword'
GRANT CONTROL SERVER TO [super_login]
Grant IMPERSONATE ON LOGIN::[sa] TO [super_login]
then login with the super_login, run this.
Execute as login = 'sa'
ALTER ROLE [db_denydatawriter] DROP MEMBER [mylogin]
--ALTER ROLE [db_owner] add MEMBER [mylogin]
ALTER server ROLE [sysadmin] add MEMBER [mylogin]
Revert
Best Answer
All the above is wrong.
Secutiry adminis notsysadmin, if it was so for what purpose 2 different server roles were created?Security adminhas these 3 permissions at server level:CONNECT SQLALTER ANY LOGINVIEW ANY DATABASECONNECT SQLandVIEW ANY DATABASEpermissions are granted topublic, so there is only one additional permission,ALTER ANY LOGIN.At the database level this role adds you the possibility to grant permissions to other users, but you don't have
alter any user/alter any role, so you cannot add yourself or any other user to database role.The phrase
in my opinion means the following:
security admincan elevate his permissions tosysadminin some way.I can give you an idea of this "way".
If you are
security adminyou can create SQL Server login ( I'll call himsuper_login) and grant himCONTROL SERVERpermission.The next step is to log in as
super_loginand give all the permissions you want to your login. You can make yourselfdb_ownerof the database where now you aredb_datadenywriter, or drop yourself fromdb_datadenywriteror merely add your login tosysadminfixed server role.