The SQL Server provider allows Devolutions Server to store the SQL account credentials to be used for SQL accounts discovery or to achieve password rotation.
Devolutions' PAM module requires SQL server 2016 and up.

Option | Description |
---|---|
Name | Display name of the provider. |
Description | Optional description of the provider. |
Option | Description |
---|---|
Server name | Hostname of the SQL Server. |
Option | Description |
---|---|
Credential type | Custom credential or Linked credential options. |
Username | Username of the SQL account with rights to list accounts. |
Password | Password of the SQL account. |
Linked credential | Credential directly linked to a PAM account. |
Option | Description |
---|---|
Add PAM vault | Will create a PAM vault with the provider's name if enabled. |
Add Scan configuration | Will open the Scan configuration dialog if enabled. |
Option | Description |
---|---|
Password template used on generation | Password template that will be used to generate the password during the reset password operation. |
Minimum Rights For PAM SQL Server
Scenario | Where to grant | Minimal rights | Minimal T-SQL command | Option for multiple targets |
---|---|---|---|---|
1. Ping() only | Connection database (master if DatabaseName is empty) | Mapped USER; public role is sufficient | CREATE USER [PamServiceLogin] FOR LOGIN [PamServiceLogin]; |
|
2. ResetPassword — Instance LOGIN | Server + connection database | See server metadata; ALTER the targeted login; USER in the connection | GRANT VIEW ANY DEFINITION TO [PamServiceLogin]; GRANT ALTER ON LOGIN::[TargetLogin] TO [PamServiceLogin]; |
GRANT ALTER ANY LOGIN TO [PamServiceLogin]; |
3. ResetPassword — Contained USER | Target database | Mapped USER; See database metadata; ALTER the targeted user | CREATE USER [PamServiceLogin] FOR LOGIN [PamServiceLogin]; GRANT VIEW DEFINITION TO [PamServiceLogin]; GRANT ALTER ON USER::[TargetUser] TO [PamServiceLogin]; |