Administrator Permissions

CREATE LOGIN <USER> WITH PASSWORD = '<PASSWORD>'

The following minimum permissions are required for Microsoft SQL Server service accounts (user) based on the operations:

Test Connection

grant Connect SQL to [user]

Note
In order to access databases, service account must have user mapping on the databases.

Aggregation

use [master]

grant Connect SQL to [user]

grant view any database to [user]

grant view any definition to [user]

grant connect any database to [user]

Enable/Disable User

grant alter any login to [user]

Change Password

grant alter any login to [user]

Delete Account

grant alter any login to [user]

Delete Role

use [database name]

create user [username] for login [server login name]

grant alter any role to [username]

Create Account

grant alter any login to [user]

Create Role

use [database name]

create user [username] for login [server login name]

grant alter any role to [username]

To perform any operation on a database, the service account must have database user on the specific database.

use [database name]

create user [username] for login [server login name]

exec sp_addrolemember db_owner, [username]

User must have proper server role assignments to assign the same role to another user.

For example, if administrator has granted Role1, Role2, Role3 roles to user A then, user A can grant only Role1, Role2, Role3 to any other user. User A cannot assign other roles apart from the roles assigned to it.

Above mentioned permissions are required for adding and removing entitlements.

Revoke Permissions

To revoke permissions, the service account must have Grant access to those permissions. For example, if the service account (user) wants to revoke ‘X’ permission for any other user, it must have the Grant access to the ‘X’ permission.

Note
To revoke server-level permissions, such as CONNECT SQL, the service account must have the necessary admin-level permissions. For example, if you want to revoke the CONNECT SQL permission for any user with a service account (a user with minimum permissions), the service account must have either the CONTROL SERVER permission or have a membership of the sysadmin fixed server role.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Administrator Permissions

Test Connection

Aggregation

Enable/Disable User

Change Password

Delete Account

Delete Role

Create Account

Create Role

Revoke Permissions

Documentation Feedback