LogoSupport Hub
Utilities

SQL Deploy User ATM

SQL Deploy User ATM

Overview

This utility script creates and configures the ATM (Attendance Time Management) system login and database user account. It handles SQL Server version compatibility, creates the login with specific credentials and permissions, and ensures proper database access configuration. The script is designed to work across different SQL Server versions (2000, 2005+) and handles existing account cleanup automatically.

Parameters

The script uses hardcoded parameters for security:

  • @sidSearch - Specific SID for the ATM account (0xEC4FF58CD326CA449052AB56E61071FD)
  • @nameSearch - Login name ('atm')
  • @userSearch - Database user name ('atm')
  • @pwdSearch - Password ('t1m3')

Data Components

The script performs several key operations:

  1. Version Detection - Determines SQL Server version for compatibility
  2. Account Discovery - Searches for existing ATM login by SID and name
  3. Login Creation - Creates new login if none exists
  4. User Cleanup - Removes existing user associations and aliases
  5. Database Access - Grants database access with specific permissions
  6. Role Assignment - Assigns appropriate database and server roles

Output Format

This script produces no direct output but modifies system security tables:

ComponentActionDescription
LoginCREATE LOGIN or sp_addloginCreates server-level login
Usersp_grantdbaccessCreates database user
Permissionssp_addrolemember, sp_addsrvrolememberAssigns roles and permissions
Cleanupsp_dropalias, sp_dropuserRemoves conflicting accounts

Technical Implementation

The script uses:

  • Version-aware SQL generation for SQL 2000 vs 2005+ compatibility
  • Dynamic SQL execution for CREATE LOGIN statements
  • SID-based account identification for consistent account management
  • Systematic cleanup of existing conflicting accounts
  • Role-based security with specific permission assignments

SQL Server Version Handling

  • SQL 2005+: Uses CREATE LOGIN with modern syntax
  • SQL 2000: Uses sp_addlogin stored procedure
  • Version Detection: Uses xp_msver to determine SQL Server version

Security Configuration

  • Server Role: sysadmin (full server access)
  • Database Role: db_denydatawriter (read-only data access)
  • Default Database: Current database context
  • Password Policy: Disabled for service account

Notes

  • Cross-Version Compatibility: Works with SQL Server 2000 through modern versions
  • Idempotent Design: Safe to run multiple times without errors
  • Security Hardened: Uses specific SID for consistent account identification
  • Cleanup Automation: Automatically handles conflicting accounts
  • High Privileges: Creates sysadmin account - use with caution
  • Service Account: Designed for application service authentication
  • Password Policy: Disables expiration and complexity for service use
  • Run with sysadmin privileges to create server-level login
  • Verify the ATM account credentials match application configuration
  • Consider changing default password after deployment
  • Monitor sysadmin role assignments for security compliance
  • Test database connectivity after script execution
  • Document the account purpose and usage for security audits

T-SQL

sqlDeployUserATM.sql
declare @sqlMajor int
declare @sqlMinor int

declare @sidSearch varbinary(85); SELECT @sidSearch = 0xEC4FF58CD326CA449052AB56E61071FD
declare @sidString varchar(34); SELECT @sidString = N'0xEC4FF58CD326CA449052AB56E61071FD'
declare @nameSearch nvarchar(128); SELECT @nameSearch = N'atm'
declare @userSearch nvarchar(128); SELECT @userSearch = N'atm'
declare @pwdSearch nvarchar(128); SELECT @pwdSearch = N't1m3'

declare @sidAccount varbinary(85)
declare @nameAccount nvarchar(128)
declare @nameDB nvarchar(128)
declare @nameAlias nvarchar(128)
declare @execStmt nvarchar(4000)

-- first determine the version of SQL server, so that we can do
-- things differently when creating accounts

set nocount on
CREATE TABLE #msVersion (
	[Index] tinyint not null,
	[Name] varchar(50) not null,
	[Value] int null,
	[String] varchar(255) null
)

INSERT INTO #msVersion EXEC [master]..[xp_msver]

select @sqlMajor = [Value] / 0x10000, @sqlMinor = [Value] & 0xFFFF
from #msVersion
where [Name] = N'ProductVersion'

DROP TABLE #msVersion

-- use the @sidSearch and @nameSearch variables to locate the
-- system login from the syslogins table that matches the
-- login that is searched for. This will first match the SID,
-- then the account name.

SELECT @sidAccount = [sid], @nameAccount = [loginname]
FROM [master].[dbo].[syslogins]
WHERE [sid] = @sidSearch

IF @sidAccount IS NULL
	SELECT @sidAccount = [sid], @nameAccount = [loginname]
	FROM [master].[dbo].[syslogins]
	WHERE [loginname] = @nameSearch

-- if at this point, no account exists, we'll create one with
-- the supplied SID and name

IF @sidAccount IS NULL 
BEGIN

	-- create the account and associate with the current database
	-- as its default database

	select @nameDB = DB_NAME()

	-- if this is SQL 2005 or later, we need to use the CREATE LOGIN
	-- T-SQL statement to create the login...

	IF (@sqlMajor >= 9)
	BEGIN

		-- we cannot include the CREATE LOGIN T-SQL directly in the
		-- batch as it will fail on SQL 2000, so we have to generate
		-- a dynamic statement and execute it indirectly

		select @execStmt = N'CREATE LOGIN ' + QUOTENAME(@nameSearch) +
				   N' WITH PASSWORD = N' + QUOTENAME(@pwdSearch, N'''') + N',' +
				   N' SID = ' + @sidString + N',' +
				   N' DEFAULT_DATABASE = ' + QUOTENAME(@nameDB) + N',' +
		                   N' CHECK_EXPIRATION = OFF, CHECK_POLICY = OFF'

		execute (@execStmt)

	END ELSE
	BEGIN

		exec sp_addlogin @loginame = @nameSearch, @passwd = @pwdSearch, @defdb = @nameDB, @sid = @sidSearch

	END

	-- update the @sidAccount and @nameAccount variables with the
	-- correct information..

	SELECT @sidAccount = [sid], @nameAccount = [loginname]
	FROM [master].[dbo].[syslogins]
	WHERE [sid] = @sidSearch

END

-- if the login is aliased to a user, then we'll remove that alias now..

if exists (select [sid] from [dbo].[sysusers] where [sid] = @sidAccount and [isaliased] = 1)
	exec sp_dropalias @loginame = @nameAccount
if exists (select [sid] from [dbo].[sysusers] where [name] = @nameAccount and [isaliased] = 1)
	exec sp_dropalias @loginame = @nameAccount

-- if this login is associated with a user in the database, then we need to
-- drop the existing user association

select @nameAlias = [name] from [dbo].[sysusers] where [sid] = @sidAccount
if @nameAlias is not null
	exec sp_dropuser @name_in_db = @nameAlias

-- if a user exists with the same name as the user we are going to create, then
-- we must drop the existing user first

if exists (select [sid] from [dbo].[sysusers] where ([name] = @userSearch) and ([issqluser] = 1))
	exec sp_dropuser @name_in_db = @userSearch

-- the AttendanceLogin/AttendanceUser has access only to the Ae_login stored
-- procedure, otherwise it is denied all access to all tables and stored 
-- procedures

exec sp_grantdbaccess @loginame = @nameAccount, @name_in_db = @userSearch
exec sp_addrolemember @rolename = 'db_denydatawriter', @membername = @userSearch

-- finally, grant sysadmin permissions to the atm account

exec sp_addsrvrolemember 'atm', 'sysadmin'

Content Inventory

  • Doc File: content/docs/utilities/sqlDeployUserATM.mdx
  • SQL Script: SQL/utilities/sqlDeployUserATM.sql

Special Remove Historical Data for Purged Employees

Previous Page

Table Breakdown Analysis

Next Page

On this page

SQL Deploy User ATM
Overview
Parameters
Data Components
Output Format
Technical Implementation
SQL Server Version Handling
Security Configuration
Notes
T-SQL
Content Inventory