From 07ea7ba193698fdb7d465c55a78a63c9ac644f2d Mon Sep 17 00:00:00 2001 From: Chris Hoffman Date: Thu, 19 Oct 2017 11:21:29 -0400 Subject: [PATCH] updating mssql docs (#3477) --- website/source/docs/secrets/databases/mssql.html.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/website/source/docs/secrets/databases/mssql.html.md b/website/source/docs/secrets/databases/mssql.html.md index 2b996e198d..8f5aee5c80 100644 --- a/website/source/docs/secrets/databases/mssql.html.md +++ b/website/source/docs/secrets/databases/mssql.html.md @@ -26,13 +26,23 @@ configuration: ``` $ vault write database/config/mssql \ plugin_name=mssql-database-plugin \ - connection_url='sqlserver://sa:yourStrong(!)Password@localhost:1433' \ + connection_url='server=localhost;port=1433;user id=sa;password=Password!;database=AdventureWorks;app name=vault;' \ allowed_roles="readonly" The following warnings were returned from the Vault server: * Read access to this endpoint should be controlled via ACLs as it will return the connection details as is, including passwords, if any. ``` +In this case, we've configured Vault with the user "sa" and password "Password!", +connecting to an instance at "localhost" on port 1433. It is not necessary +that Vault has the sa login, but the user must have privileges to create +logins and manage processes. The fixed server roles `securityadmin` and +`processadmin` are examples of built-in roles that grant these permissions. The +user also must have privileges to create database users and grant permissions in +the databases that Vault manages. The fixed database roles `db_accessadmin` and +`db_securityadmin` are examples or built-in roles that grant these permissions. + + Once the MSSQL connection is configured we can add a role: ```