Managing login policies overview

A login policy is a named object in a database that consists of a set of rules that are applied when you create a database connection for a user. All new databases include a root login policy. You can modify the root login policy values, but you cannot delete the policy. Login policies govern only the rules for user login and are separate from authorities and permissions. Login policies are not inherited through group memberships.

The following settings are governed by a login policy:

The user account is assigned the root login policy when:

You can create, alter, and drop login policies. As well, you can create, alter, and drop users, and assign login policies to them. The sa_get_user_status system procedure lets you get information about the current status of a user. See sa_get_user_status system procedure.

Inheritance of login policy settings

A default login policy called root is stored in the database and contains the default option values for all policies. If you want to use different settings than the defaults, you can either alter the root policy, or create a policy and then alter it to contain overrides for the defaults. A policy inherits its default settings from the root policy, unless it is altered to contain overrides.

For example, suppose the root policy value for max_connections is 5. You create a policy called myPolicy and alter it to set max_connections to Unlimited. Then, you create a user and assign the myPolicy login policy. When the user logs in, their login policy option settings are inherited from the root login policy with the exception of max_connections, which is set to Unlimited.

Inheritance of default values from the root policy is important to understand because if you subsequently change the value of an option setting in the root policy, you impact users of policies that rely on the default value for that setting. Similarly, if a root value is changed, it does not impact any users of policies that contain an override for that setting.


Modify the root login policy
Creating a new login policy
Creating a user and assigning a login policy
Assigning a login policy to an existing user
Altering a login policy
Dropping a login policy
Managing login policies on read only databases