Why is the "Run As" drop down list is always empty when I try to set up a SQL Agent Job? I am trying to set up some SQL Agent Jobs to run using a proxy account. I am a member of the SQLAgentUserRole, SQLAgentReaderRole, and SQLAgentOperatorRole. When I try to add a step to to the job, I select SQL Integration Services Package and the Run As drop down list is empty.
Anyone who is a sysadmin can view the proxy. Shouldn't I be able to use the proxy as a member of SQLAgentUserRole, SQLAgentReaderRole, and SQLAgentOperatorRole? What am I missing here?
(The proxy account is active to the subsystem: SQL Integration Service Packages and this is SQL Server 2008 R2)
EDIT -
MSDN: "Members of these database roles (SQLAgentUserRole, SQLAgentReaderRole, and SQLAgentOperatorRole) can view and execute jobs that they own, and create job steps that run as an existing proxy account." And this other article on fixed server roles mentions that access can be granted to proxies, but it does not mention how to do it: MSDN.
I found the answer to this. Users who are not sysadmin have to have access to the proxy account explicitly granted to their role or username:
To grant access to proxy accounts for non-sysadmins
In Object Explorer, expand a server.
Expand SQL Server Agent.
Expand Proxies, expand the subsystem node for the proxy, right-click the proxy you wish to modify, and click Properties.
On the General page, you can change the proxy account name, credential, or the subsystem it uses. On the Principals page, you can add or remove logins or roles to grant or remove access to the proxy account.
http://msdn.microsoft.com/en-us/library/ms187890(v=sql.100).aspx
When editing the job step - switch to "Advanced" tab on the left, don't use the dropdown on the main page.
Make sure the user is granted a role in the job database, even if he's a "sysadmin"
(the screenshot is for SSMS 17)
No, you shouldn't. Memebers of the roles you just mentioned can only create jobs that run as themselfes because they are non-administrative roles. If you want to run a job using antoher user, you'll need access to a proxy account. If I'm not mistaken, the only group that has access to create proxy accounts is sysadmin, so you'll need an admin to do that for you.
Members of the sysadmin role have permission to create job steps that
do not specify a proxy, but instead run as the SQL Server Agent
service account, which is the account that is used to start SQL Server
Agent.
Create credentials first then you will be able to add it under proxies level.
Once this is done then you can change from sql service agent to the credentials.
I had this problem with SQL Server 2017 and I wanted to not have to create a whole SSIS package just to run some SQL with the proxy user.
My solution was using the SQLCMD utility and run the SQL Agent Job step as the CmdExec type instead of running it as T-SQL.
Then you could have it run something like:
sqlcmd -S <ComputerName>\<InstanceName> -Q "SELECT * FROM AdventureWorks2012.Person.Person"
https://learn.microsoft.com/en-us/sql/ssms/scripting/sqlcmd-use-the-utility?view=sql-server-ver16
Related
I am working on a project and I have access to SQL Server as external user with limited privileges.
When I want to create a login for example with this command, I get permission denied:
CREATE LOGIN [login] WITH PASSWORD=N'test', DEFAULT_DATABASE=[master],
DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF)
However when I try to create a login with this command I can make it and also I have privileges now to enable xp_cmd shell as well:
EXECUTE('EXECUTE(''CREATE LOGIN [test5] WITH PASSWORD=N''''test'''',
DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF'') AT "hostname\domain"')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [sysadmin] ADD MEMBER [test5]'')
EXECUTE('EXECUTE(''ALTER SERVER ROLE [db_owner] ADD MEMBER [test5]'')
Can someone please explain why is that?
EXECUTE('string sql statement') AT "hostname\domain" == the 'string sql statement' is a pass-through command executed at the linked server "hostname/domain".
Has someone created a loop-back linked server (a linked server that points to the sql instance itself)?
Linked servers have their own security configuration/settings. If the security of the linked server is configured (for any login) to be made under the security context of a privileged login(eg. sa) then exec('') at linkedserver will be executed with way more/elevated permissions (than expected). This is a major security issue/hole.
Check the security of the linked server and change accordingly (and do you really need a loopback linked server?)
I have been able to set up an active directory login for my Azure database.
Now I want to add additional active directory logins and set their permissions
I understand that I need to use Management Studio to do this and have installed SSMS v17.8.1
I have been studying docs but I can't find the instructions
[Update]
After reading Conor's answer I was able to create the user
CREATE USER [jobuser#mydomain] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo]
However if I try to login using MSSMS with Active Directory - Password authentication I get
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' (MIcrosoft SQL Server, Error 18456)
[Update]
In the Connection Properties Tab
I had to overtype with the database name
That particular page only shows an example using a SQL login/user, so I can understand why you are confused.
Please read through this page:
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-2017
Specifically, you want to create a user using the AS EXTERNAL PROVIDER example. This tells SQL Azure (and SQL DW) to use Azure Active Directory instead of creating a SQL user. Please note that this does not (as of today) work in SQL Server. (SQL Server supports integrated authentication against a local Active Directory, but it just does not currently support the Azure Active Directory service).
Also, there is no specific requirement that you use SSMS to do this step. You can do it within SSMS, SQL Operation Studio, through one of the SQL client drivers in a program you write (or some third party program that can invoke SQL over them), sqlcmd, etc. You don't even need to have the latest SSMS to make things work (though it is recommend to get the best experience against SQL Azure including syntax highlighting).
Please give that a try and see if it gets you unblocked.
Best of Luck!
When i tried to run the .dtsx file i got the following error
The task with the name "some task" and the creation name
"SSIS.ReplacementTask" is not registered for use on this computer
I change the logon to network serivce of Sql Integeration service fron SQL server configuration but still m getting this error please help
Try this.
When you use username and password to log on to your computer, sql server need to verify the user who authorized to use the sql server service.. But sometimes sql server cannot redirect to the account, so we need to configure the user.
Here's the step :
1. open sql server configuration mangager
2. choose sql server 2005 services
3. right click sql server integration services, choose properties
4. choose log on tab, select this account, enter your username and password which is used to log on your computer.
5. reopen the business intelligence studio. There you are, the task component can work properly again.
It also might be that this is a custom component which is not installed at your global assembly cache (in case you are not running it at the server to which it was originally deployed).
I'm new to SQL Server 2008. I just installed SQL Server Express. I'm having trouble creating a new database, and I think I don't have permission.
I login like this, please see this screenshot:
Then I tried to create a new database and I got this:
I tried to search for some solution and this what I've got:
http://blogs.msdn.com/b/sqlexpress/archive/2010/02/23/how-to-take-ownership-of-your-local-sql-server-2008-express.aspx
But I can't download the script and the page says:
An error occurred while processing your request.
Please help. Kind regards
I resolved my problem with the following steps:
Set the instance of the SQL Service to single-user mode:
Open SQL Server Configuration Manager. Double click SQL Server Services.
Stop all SQL Server services
Right click SQL service and click Properties, in the Advanced tab, look for 'Startup Parameters'
Insert '-m;' at the beginning of the Startup Parameters value
Start the SQL service
Open SQL Server Management Studio and login with Windows authentication, you can now add user or change password of different users.
Hope this helps!
Try logging in with the sa account and grant permissions to your Windows account.
If you do not know the sa password use sqlcmd and execute the following commands:
Use Master
Go
ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword'
Go
Login with the sa account and GRANT permission to the account.
USE Master;
GRANT CREATE DATABASE TO Jommel;
I have created a report and subscriptions but when I go to SQL Server 2008 R2 Management Studio and connect to Report Server I do not see anything under Jobs folder. When I right-click I do not see an option to create a Job. How do I make a job so that it shows under this folder?
There are a couple of things you can check
Is SQLAgent currently turned on?
Is SQL Agent set to auto-start?
Under what permissions (i.e. user account or proxy account) is SQLAgent set to run?
What type of subscription did you create? scheduled? data-driven? (the latter is an enterprise-edition only feature)
What delivery method for the subscriptions? to a folder? via email? If to a folder, does the SQLAgent account have the appropriate permissions to read/write on that shared folder? If via email, have you configured the SMTP settings in SSRS configuration tool?
I am assuming that SSRS is installed in native (not SharePoint integrated mode) - is this correct? There are different set of troubleshooting steps if the latter
For completeness, here's an MSDN reference (step-by-step) on how to create a subscription. Also I assume that your user account has the appropriate permissions to create other types (that is, non-SSRS subscription jobs) of new jobs on your SQL Server instance via SSMS.