I have secured databases that are used by many users with different levels of security. A few users need Admins permissions so that they can add other users. I do not, however, want even these users being able to modify the design of any objects in the database. To prevent this I have AllowByPassKey set to false.
The problem is, in the event of someone finding out how to re-enable the bypass key, they can then get in and assign permissions to themsleves to allow them to modify the design of objects in the database. It seems crazy to me that there does not seem to be any way of allowing users to add other users but prevent them from assigning additional permissions to themselves. Surely, as database owner, I should have the ability to completely prevent other users from doing this.
Does anyone know of a way of doing this, i.e. allowing users to add other users to an existing group but not CHANGE permissions or modify database objects? Have fun!
)
Alex Middleton
The problem is, in the event of someone finding out how to re-enable the bypass key, they can then get in and assign permissions to themsleves to allow them to modify the design of objects in the database. It seems crazy to me that there does not seem to be any way of allowing users to add other users but prevent them from assigning additional permissions to themselves. Surely, as database owner, I should have the ability to completely prevent other users from doing this.
Does anyone know of a way of doing this, i.e. allowing users to add other users to an existing group but not CHANGE permissions or modify database objects? Have fun!
)Alex Middleton
