Permissions to See Server Logins/Create Database Users

Our company has 2 Database Roles (DBE and DBA). The DBE creates

database schema, performs SQL Server Administration, and manages server

security. The DBA writes data access, ETL, and manages database

security. In 2005, we're struggling with how to allow the DBA to see

all of the logins on the server in order to add them as users of their

database. What permissions does the DBA need to select from any of the

logins on the server to add them to their database?

Michelle

Note that to add a user to a database, the dba does not need to be able to see the login's metadata - he only needs to know the login's name.

To see the information about a login, you need VIEW DEFINITION permission on that login.

To see information about all logins, you would need VIEW ANY DEFINITION permission, but this permission allows you to see more than just login information, so I don't recommend granting this permission. Instead, you can look at creating a procedure to return the necessary login information and sign the procedure with a certificate that has VIEW ANY DEFINITION permission.

Thanks
Laurentiu

sql

Permissions to See Server Logins/Create Database Users

Our company has 2 Database Roles (DBE and DBA). The DBE creates database
schema, performs SQL Server Administration, and manages server security. The
DBA writes data access, ETL, and manages database security. In 2005, we're
struggling with how to allow the DBA to see all of the logins on the server
in order to add them as users of their database. What permissions does the
DBA need to select from any of the logins on the server to add them to their
database?Michelle (Michelle@.discussions.microsoft.com) writes:
> Our company has 2 Database Roles (DBE and DBA). The DBE creates database
> schema, performs SQL Server Administration, and manages server security.
> The DBA writes data access, ETL, and manages database security. In 2005,
> we're struggling with how to allow the DBA to see all of the logins on
> the server in order to add them as users of their database. What
> permissions does the DBA need to select from any of the logins on the
> server to add them to their database?
VIEW ANY DEFINITION is the simplest - then the DBA will see all logins.
But he will also see other logins.
The other alternative is to grant VIEW DEFINITION on the logins he should
be permitted to play with.
Curiously there is no VIEW ANY LOGIN. There is ALTER ANY LOGIN, but that
would give the DBA permissions he should not have.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx

Permissions needed to run SSIS Package

If one of our SSIS packages fails because of a communication problem with the backend, and the DBA is not available, my boss wants another individual (probably a senior programmer but not an "sa" type) to be able to re-run the job.

What is the "right" way to do this under SSIS\ sql 2005?

TIA,

barkingdog

this link might help: http://support.microsoft.com/kb/918760/en-us

permissions for SQL admin

Hi,
I got a challenging question from my DBA: he set up some auditing
procedure to check all the user computers to see the versions of small
applications. This is done through a Storeprocedure under one DB called
auditing. Basically, he said when this storeprocedure runs, the script runs
and get all the version information from user boxes. And, as he said, this
needs domain admin rights to run because this script actaully grabs
information from all user computers.
Please advice what is the best, suitable rights rather than domain admin
rights in order for this undertaking to be carried out.
Thanks.If you want to run that procedure on a schedule you will have to grant
the SQL Agent account the appropiate permissions. If you want to run
that ad-hoc, you will have to make sure that the current user, if the
authenticated with WIndows authentication, is priviledged to the
operations on the client, if the user is authenticated with SQL Server
authentication that the SQL Server service account is priviledged to
run the operations on the client.
HTH, Jens K. Suessmeyer.
http://www.sqlserver2005.de
--