Assigning any combination of roles with lesser permissions and individual permissions instead of DBO for the VMM service account is not supported.
As a connected user performs actions, the VMM service runs EXECUTE AS statements to run database stored procedures on the user's behalf. For this to work, the VMM service account must have the IMPERSONATE permission on the user. Non-DBO users do not have this permission.
You cannot work around this limitation by explicitly granting the IMPERSONATE permission to a non-DBO service account because you can grant IMPERSONATE only on an existing principal. Because the VMM service dynamically adds and removes database users, you cannot grant IMPERSONATE permissions on them ahead of time. The user must exist at the time you grant permissions.
The SQL Server Language Reference specifically documents the requirement that a principal must exist when the IMPERSONATE permission is granted to him. The following is from the EXECUTE AS reference:
- CompanyDomain\SQLUsers group has access to the Sales database.
- CompanyDomain\SqlUser1 is a member of SQLUsers and, therefore, has implicit access to the Sales database.
Ідентифікатор статті: 3087868 – останній перегляд: 8 вер. 2015 р. – виправлення: 1