Set login_mode to Standard for a user

0

I see where you can set the login_mode database option to standard, integrated but that is for the entire database. Is there a way to manage login_mode at the user level? I'd like to prevent certain database users(mainly those with elevated, dba type privileges) from using integrated login, only user id and password. I don't want the users to map the elevated database user account to a windows account to keep them from logging into our application with the elevated user account.

Any experience with this? Or, should I be looking at this a different way?

Appreciate the help.

asked 06 Sep '19, 09:21

user2359's gravatar image

user2359
1566614
accept rate: 100%

One Answer:
active answersoldest answersnewest answerspopular answers
1

I guess you are using integrated logins for Windows groups, right?

So I guess you have to

  • either exclude those users from the according Windows group,

  • or add a second integrated login for a different Windows group to a different database user, and put those undesired users in the second group: When an OS user belongs to multiple groups which have integrated login mappings to different database users, they cannot connect via integrated logins, as documented here...

permanent link

answered 06 Sep '19, 09:33

Volker%20Barth's gravatar image

Volker Barth
39.3k354538808
accept rate: 33%

converted 06 Sep '19, 09:33

Volker, thank you. We do not use Windows user groups with integrated login. We map one Windows user account to a db user.

ex. grant integrated login to "domain\user.name" as user dbuser1;

Problem is we don't have control over the domain and/or active directory.

But, this is interesting and an approach we have not considered.

(06 Sep '19, 10:06) user2359
Replies hidden

Well, if you do not map Windows groups but map each individual Windows user, why do you map those undesired Windows users to integrated logins? In my understanding, you could simply drop the mapping for those...

(06 Sep '19, 10:21) Volker Barth

Well, we have personnel at the remotes and they can do things like map accounts.

We could ask them not to do that. That's probably a good place to start.

(06 Sep '19, 10:29) user2359
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×27
×23

question asked: 06 Sep '19, 09:21

question was seen: 1,059 times

last updated: 06 Sep '19, 10:29

Related questions

Whose permissions are checked for a procedure with SQL SECURITY DEFINER and client-side reads?

[closed] Enhance DBUNLOAD to ignore obsolete system database options

Interactive Login Username

Need to access table from other user

How to set a password via SQL Remote passthrough mode for an older remote

how to know servername of my database ?

Query between 2 tables into different databases

ianywhere 8 Error

How to see date a user was created in Sybase using a select statement?

SA 17.0.10: The list of active users who are currently connected in the database