In our school district, we have many users who have access to two or three databases, and a few users who have access to ten or so databases. For a long time, we allowed users to manage their own passwords, and as a result spent a lot of time resetting passwords that had been forgotten. Last year I built a database for my use that contains users account name, assigned password (used for all dbs), and privilege set to the databases to which they need access. Scripts allow the creation, deletion, or change of access rights as needed much more quickly than going from file to file.
This works well, and is relatively secure, in that the account information is maintained in only one file, with only one person having access to it. The flaw is that because I have access to everyone's password, I can "pretend to be them", as our auditor put it.
Is there a way to control user access without knowing their password? There was a product called Account Manager that attempted to do that, but it doesn't seem to be around anymore. Does anyone know of a replacement?