> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/pam-with-devolutions-server/providers/managed-providers/sql-server-provider.md).

# SQL server provider

The ***SQL Server*** provider allows Devolutions Server to store the SQL account credentials to be used for SQL accounts discovery or to achieve password rotation.

{% hint style="info" %}
Devolutions' PAM module requires SQL server 2017 and up.
{% endhint %}

![](https://cdnweb.devolutions.net/docs/docs_en_server_ServerOp2118.png)

### General

| Option          | Description                           |
| --------------- | ------------------------------------- |
| **Name**        | Display name of the provider.         |
| **Description** | Optional description of the provider. |

### Server

| Option          | Description                 |
| --------------- | --------------------------- |
| **Server name** | Hostname of the SQL Server. |

### Credentials

| Option                | Description                                                 |
| --------------------- | ----------------------------------------------------------- |
| **Credential type**   | ***Custom credential*** or ***Linked credential*** options. |
| **Username**          | Username of the SQL account with rights to list accounts.   |
| **Password**          | Password of the SQL account.                                |
| **Linked credential** | Credential directly linked to a PAM account.                |

### Actions

| Option                                        | Description                                                            |
| --------------------------------------------- | ---------------------------------------------------------------------- |
| **Add PAM** **vault**                         | Will create a PAM vault with the provider's name if enabled.           |
| **Add a new account discovery configuration** | Will open the ***Account discovery configuration*** dialog if enabled. |

### Password settings

| Option                                   | Description                                                                                       |
| ---------------------------------------- | ------------------------------------------------------------------------------------------------- |
| **Password template used on generation** | Password template that will be used to generate the password during the reset password operation. |

#### Least privileges information required for password rotation of an SQL PAM Provider

**Minimum Rights For PAM SQL Server**

| Scenario                              | Where to grant                                        | Minimal rights                                                        | Minimal T-SQL command                                                                                                                                                                                                   | Option for multiple targets                   |
| ------------------------------------- | ----------------------------------------------------- | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------- |
| **1. Ping() only**                    | Connection database (master if DatabaseName is empty) | Mapped USER; public role is sufficient                                | `CREATE USER [PamServiceLogin] FOR LOGIN [PamServiceLogin];`                                                                                                                                                            |                                               |
| **2. ResetPassword — Instance LOGIN** | Server + connection database                          | See server metadata; ALTER the targeted login; USER in the connection | <p><code>GRANT VIEW ANY DEFINITION TO \[PamServiceLogin];</code><br><code>GRANT ALTER ON LOGIN::\[TargetLogin] TO \[PamServiceLogin];</code></p>                                                                        | `GRANT ALTER ANY LOGIN TO [PamServiceLogin];` |
| **3. ResetPassword — Contained USER** | Target database                                       | Mapped USER; See database metadata; ALTER the targeted user           | <p><code>CREATE USER \[PamServiceLogin] FOR LOGIN \[PamServiceLogin];</code><br><code>GRANT VIEW DEFINITION TO \[PamServiceLogin];</code><br><code>GRANT ALTER ON USER::\[TargetUser] TO \[PamServiceLogin];</code></p> |                                               |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/pam/pam-with-devolutions-server/providers/managed-providers/sql-server-provider.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.