we have an asp.net application, of which there are 2 "administrators" who setup new users with access to the application, or change their permissions etc. The application has an underlying SQL Server 2008 R2 DB. Access to the application is either via windows authentication or for the administrators SQL authentication. each user of the application is a server login in SQL Server. We were reviewing permissions and the administrators login to the application with accounts that are actually SYSADMIN permissions in SQL. I thought such permissions were excessive, but the 3rd party claim they need this level of access in order to create new application accounts (which are essentially SQL server logins). Is this a common design for apps built on top of a SQL Server, or is this a bad practice/design? I am not from a .net background but I do understand the risks associated with granting SYSADMIN over a production SQL.