Login policies

A login policy consists of a set of rules that are applied when you create a database connection for a user. Login policies govern only the rules for user login and are separate from roles and privileges. Login policies are not inherited. All users in a database are assigned a login policy.

You can create, edit, and delete login policies. As well, you can create, edit, and delete users, and assign login policies to them. The sa_get_user_status system procedure lets you get information about the current status, including the login policy, of a user.

Inheritance of login policy settings

A default login policy called root is stored in the database and contains the default option values for all policies. To use different settings than the defaults, you can either alter the root policy, or create a policy and then alter it to contain overrides for the defaults. A policy inherits its default settings from the root policy, unless it is altered to contain overrides.

For example, suppose the root policy value for max_connections is 5. You create a policy called myPolicy and alter it to set max_connections to Unlimited. Then, you create a user and assign them the myPolicy login policy. When the user logs in, their login policy option settings are inherited from the root login policy with the exception of max_connections, which is set to Unlimited.

Inheritance of default values from the root policy is important to understand because if you subsequently change the value of an option setting in the root policy, you impact users of policies that rely on the default value for that setting. Similarly, if a root value is changed, it does not impact any users of policies that contain an override for that setting.

Login policies

Inheritance of login policy settings

See also