Administrator Permissions
Login using administrator credentials and create a new user on managed system using the following command:
CREATE LOGIN <USER> WITH PASSWORD = '<PASSWORD>'
The following are the minimum permissions required for Microsoft SQL Server user based on the operations:
Note
Service accounts must have Grant access to revoke permissions.
Test Connection
grant Connect SQL to [user]
Note
In order to access databases, service account must have user mapping on the databases with public role defined.
Aggregation
use [master]
GO
grant Connect SQL to [user]
grant view any database to [user]
grant view any definition to [user]
grant connect any database to [user]
Enable/Disable User
grant alter any login to [user]
Change Password
grant alter any login to [user]
Delete Account
grant alter any login to [user]
Delete Role
use [database name]
create user [username] for login [server login name]
grant alter any role to [username]
Create Account
grant alter any login to [user]
Create Role
use [database name]
create user [username] for login [server login name]
grant alter any role to [username]
To perform any operation on a database, the service account must have database user on the specific database.
use [database name]
create user [username] for login [server login name]
exec sp_addrolemember db_owner, [username]
User must have proper server role assignments to assign the same role to another user.
For example, if administrator has granted Role1, Role2, Role3 roles to user A then, user A can grant only Role1, Role2, Role3 to any other user. User A cannot assign other roles apart from the roles assigned to it.
Above mentioned permissions are required for adding and removing entitlements.
Revoke Permissions
To revoke permissions, the service account must have Grant access to those permissions. For example, if the service account (user) wants to revoke ‘X’ permission for any other user, it must have the Grant access to the ‘X’ permission.