Chapter 14: Managing Adaptive Server Logins, Database Users, and Client Connections

Locking or dropping Adaptive Server login accounts

To prevent a user from logging in to Adaptive Server, you can either lock or drop an Adaptive Server login account. Locking a login is safer than dropping it because locking a login account maintains the suid so that it cannot be reused.

WARNING! Adaptive Server may reuse the server user ID (suid) of a dropped login account when the next login account is created. This occurs only when the dropped login holds the highest suid in syslogins; however, it can compromise accountability if execution of sp_droplogin is not being audited. Also, it is possible for a user with the reused suid to access database objects that were authorized for the old suid.

You cannot drop a login when:

The user is in any database.

The login belongs to the last remaining System Security Officer or System Administrator.

**Table 14-6: Locking or dropping login accounts**
Task	Required role	System procedure	Database
Lock login account, which maintains the suid so that it cannot be reused	System Administrator or System Security Officer	sp_locklogin	master
Drop login account, which allows reuse of suid	System Administrator	sp_droplogin	master

View this book as PDF