In a word... yes. In order to add a Windows Authenticated User, SL needs to create a SQL login, map it to both the APP and SYS database and add the application role. These actions combined generally means sysadmin: access to both databases, login creation, and role assignment. You might work it out with a combination of securityadmin, db_accessadmin et al, but you'll end up with a powerful role anyhow. If you want to separate the DBA role, in theory a SQL script could be built to perform the required steps. Windows authentication is a recent addition to SL and it's still kind of patched up.
↧