For a user to be able to change a password of his own user or another user, he must have "Drop User" access on that particular user.
Yesterday, however, a user (and I have rechecked this) did not have the required "Drop User" access on his own user but somehow still managed to change his password. Prior to that, all password changing requests were directed to me.
I am confused as to how was he able to do this?
I have checked the logs and he had run the following statement:
MODIFY USER "username" AS PASSWORD ="*******"
The statement type was that of a "Modify Database" and statement group was that of "DDL Alter".
Any help on this?
every user can change his own password, there's no right needed for that. Only if you want to change the password of another user you'll nedd the DROP USER right.