Creates a login account; specifies a password, a login profile for the account, and user-supplied parameters to be assigned to the account.
create login login_name with [encrypted] password password [attribute_value_pair_list]
Parameter |
Parameter Value |
Description |
---|---|---|
login profile |
Valid values:
|
If a login profile is not specified, a default login profile is applied. See Applying Login Profile and Password Policy Attributes in the Security Administration Guide. |
suid |
Valid values: Unique value between [-32768, 2147483647] excluding [-2, -1, 0, 1, 2]. |
By default an suid is generated and automatically assigned to the login account upon creation. |
fullname |
name_value |
Full name of user who owns the login account. Default is NULL. |
login script |
login_script_name |
Specifies a valid stored procedure. Limited to 120 characters for a login script. |
password expiration |
Valid range: 0 to 32767 days. |
Password expiration interval. Default is 0, meaning the password never expires. |
min password length |
Valid range: 0 to 30. |
Minimum password length required. Default is 6. |
max failed attempts |
Valid range: -1 to 32767. |
Number of login attempts allowed after which the login account is locked. -1 indicates the failed count is tracked but not locked. Default is 0, meaning the failed count is not tracked and the account is not locked due to failed login attempts. |
default database |
default_database_name |
Specifies a database to be the default. Default is Master. |
default language |
default_language |
Specifies a language to be the default. Default is us_english |
authenticate with |
Valid values: ASE, LDAP, PAM, KERBEROS, ANY |
Specifies the mechanism used for authenticating the login account. When ANY is used, the SAP ASE server checks for a defined external authentication mechanism. If one is defined, the SAP ASE server uses the defined mechanism., otherwise the ASE mechanism is used. If authenticate with authentication mechanism is not specified, ANY is used for the login account. |
exempt inactive lock |
Valid values: TRUE or FALSE |
Specifies whether or not to exempt login accounts from being locked due to inactivity. Default is FALSE which indicates accounts are not exempt. |
create login ravi with password itsA8ecret login profile emp_lp suid 7 exempt inactive lock true
Precedence rules determine how login account attributes are applied when attributes are taken from different login profiles or when values have been specified using sp_passwordpolicy.
For ease of management, it is strongly recommended that all users’ SAP ASE login names be the same as their operating system login names. This makes it easier to correlate audit data between the operating system and the SAP ASE server. Otherwise, keep a record of the correspondence between operating system and server login names.
For more information about creating login accounts, see the Security Administration Guide. For precedence rules, see Applying login profile and password policy attributes in the Security Administration Guide.
lprofile_id, lprofile_name in Reference Manual: Building Blocks
sp_passwordpolicy, sp_displaylogin, sp_displayroles, sp_locklogin in Reference Manual: Procedures
ANSI SQL – Compliance level: Transact-SQL extension.
The permission checks for create login differ based on your granular permissions settings.
Setting | Description |
---|---|
Enabled | With granular permissions enabled, you must be a user with the manage any login privilege. |
Disabled | With granular permissions disabled, you must be a user with sso_role. |
Values in event and extrainfo columns of sysaudits are:
Information | Values |
---|---|
Event | 103 |
Audit option | login_admin |
Command or access audited | create login |
Information in extrainfo | Keywords contain: WITH attribute_value_pair_list |