Solved

Creating IAM users via an EndProduct

  • 27 January 2020
  • 1 reply
  • 273 views
K.Bakkenes
Rank
Userlevel 3
Badge +9

The users in our EndProduct can create employees for their company within the application. We have a task that creates a relation + an employee record.

In addition to creating an employee we would like to be able to create an IAM user with the information and credentials the user has supplied. So we made a subroutine called ‘create_iam_user’. This subroutine does inserts/updates on the IAM database. After creating an employee record the subroutine will be executed. But when it does, we get the following error in return.

The users in our EndProduct have no rights on the IAM database and the ‘User Admin’ rights are not granted.

I tried altering the procedure to execute it as OWNER or as a SQL login that does have ‘User Admin’ rights.

After changing the procedure the execution (via SSMS) of the procedure succeeded with a SQL login that has no IAM rights.

However when trying to execute the procedure via the EndProduct user we still receive an error.

Why doesn’t the ‘EXECUTE AS’ method work when executing the procedure via the GUI? We started the application via the Win GUI in combination with Indicium.

icon

Best answer by Frank Wijnhout 29 January 2020, 16:14

View original

1 reply

Frank Wijnhout
Rank

Hi Kevin, I am not completely sure if this would work anyway. It would be a security leak?

In general I prefer a different solution. When linking to another database I prefer not to do that directly, but I would create a queue in you application. The user will have rights to this queue. In the background I would schedule a procedure that copies the user from the queue to IAM. This is done by an account with the proper rights. Advantages are:

  1. More secure
  2. When the 'other’ database (IAM in this case) is offline, your system will still work. (okay, when it is IAM, it won't)
  3. No hassle with impersonation

 

Reply


Terms & ConditionsCookie settings