Skip to main content
Solved

Creating IAM users via an EndProduct

  • January 27, 2020
  • 1 reply
  • 287 views
K.Bakkenes
Captain
Forum|alt.badge.img+9

The users in our EndProduct can create employees for their company within the application. We have a task that creates a relation + an employee record.

In addition to creating an employee we would like to be able to create an IAM user with the information and credentials the user has supplied. So we made a subroutine called ‘create_iam_user’. This subroutine does inserts/updates on the IAM database. After creating an employee record the subroutine will be executed. But when it does, we get the following error in return.

The users in our EndProduct have no rights on the IAM database and the ‘User Admin’ rights are not granted.

I tried altering the procedure to execute it as OWNER or as a SQL login that does have ‘User Admin’ rights.

After changing the procedure the execution (via SSMS) of the procedure succeeded with a SQL login that has no IAM rights.

However when trying to execute the procedure via the EndProduct user we still receive an error.

Why doesn’t the ‘EXECUTE AS’ method work when executing the procedure via the GUI? We started the application via the Win GUI in combination with Indicium.

Best answer by Frank Wijnhout

Hi Kevin, I am not completely sure if this would work anyway. It would be a security leak?

In general I prefer a different solution. When linking to another database I prefer not to do that directly, but I would create a queue in you application. The user will have rights to this queue. In the background I would schedule a procedure that copies the user from the queue to IAM. This is done by an account with the proper rights. Advantages are:

  1. More secure
  2. When the 'other’ database (IAM in this case) is offline, your system will still work. (okay, when it is IAM, it won't)
  3. No hassle with impersonation

 

View original
Did this topic help you find an answer to your question?
This topic has been closed for comments

1 reply

Frank Wijnhout
Thinkwise blogger

Hi Kevin, I am not completely sure if this would work anyway. It would be a security leak?

In general I prefer a different solution. When linking to another database I prefer not to do that directly, but I would create a queue in you application. The user will have rights to this queue. In the background I would schedule a procedure that copies the user from the queue to IAM. This is done by an account with the proper rights. Advantages are:

  1. More secure
  2. When the 'other’ database (IAM in this case) is offline, your system will still work. (okay, when it is IAM, it won't)
  3. No hassle with impersonation

 

K.Bakkenes
1 person likes this
  • K.Bakkenes
    K.Bakkenes
Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings