(Component Integration Services only) Creates an alternate login account and password to use when communicating with a remote server through Component Integration Services.
sp_addexternlogin server, loginame, externname [, externpasswd] [rolename]
is the name of the remote server. The remote_server must be known to the local server by an entry in the master.dbo.sysservers table.
is an account known to the local server. loginame must be represented by an entry in the master.dbo.syslogins table. The “sa” account, the “sso” account, and the loginame account are the only users authorized to modify remote access for a given local user.
is an account known to the server and must be a valid account on the node where the server runs. This is the account used for logging into the server.
is the password for externnname.
is the Adaptive Server user’s assigned role. If rolename is specified, login_name is ignored.
Tells the local server that when the login name “bobj” logs in, access to the remote server OMNI1012 is by the remote name “jordan” and the remote password “hitchpost”. Only the “bobj” account, the “sa” account, and the “sso” account have the authority to add or modify a remote login for the login name “bobj”:
sp_addexternlogin OMNI1012, bobj, jordan, hitchpost
Shows a many-to-one mapping so that all Adaptive Server Enterprise users that need a connection to DB2 can be assigned the same name and password:
sp_addexternlogin DB2, NULL, login2, password2
Adaptive Server Enterprise roles can also be assigned remote logins. With this capability, anyone with a particular role can be assigned a corresponding login name and password for a given remote server:
sp_addexternlogin DB2, NULL, login3, password3, role
sp_addexternlogin assigns an alternate login name and password to be used when communicating with a remote server. It stores the password internally in encrypted form.
You can use sp_addexternlogin only when Component Integration Services is configured.
Mappings can be one-to-one (for specific users), role-to-one (role-based), many-to-one (server-based), or based on the client login and password from the TDS loginrec.
The login and password have a many to one mapping. That is, you can assign all the users who need to log into a remote server the same name and password.
When several external logins are set for a user, the following precedence will be followed for user connections to a remote server. 1) one-to-one mapping, 2) if there is no one-to-one mapping, active role is used, 3) if neither one-to-one mapping nor active role is present, then many-to-one mapping, 4) if none of the above is used then Adaptive Server Enterprise login and password.
You can assign external logins to Adaptive Server roles. You can assign anyone with a particular role a corresponding login name and password for any given remote server.
When you establish a connection to a remote server for a user that has more than one role active, each role is searched for an external login mapping and uses the first mapping it finds to establish the login. This is the same order as displayed by the stored procedure sp_activeroles.
If you perform role mapping, and a user's role is changed (using set role), any connections made to remote servers that used role mapping must be disconnected. You cannot do this if a transaction is pending. You cannot use set role if a transaction is active and remote connections are present that used role mapping.
Before running sp_addexternlogin, add the remote server to Adaptive Server with sp_addserver.
externname and externpasswd must be a valid user and password combination on the node where the server runs.
Sites with automatic password expiration need to plan for periodic updates of passwords for external logins.
Use sp_dropexternlogin to remove the definition of the external login.
sp_addexternlogin cannot be used from within a transaction.
The “sa” account and the loginame account are the only users who can modify remote access for a given local user.
The permission checks for sp_addexternlogin differ based on your granular permissions settings.
Granular permissions enabled |
With granular permissions enabled, you must be a user with manage any remote login privilege. Any user can execute sp_addexternlogin for their own login. |
Granular permissions disabled |
With granular permissions disabled, you must be a user with sa_role or sso_role. Any user can execute sp_addexternlogin for their own login. |
Values in event and extrainfo columns from the sysaudits table are:
Event |
Audit option |
Command or access audited |
Information in extrainfo |
---|---|---|---|
38 |
exec_procedure |
Execution of a procedure |
|
System procedures sp_addserver, sp_dropexternlogin, sp_helpexternlogin, sp_helpserver