Foglight for SQL Server 5.6.5 Managing SQL Server Database Systems Permissions Guide
2012 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com email: legal@quest.com Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, Foglight, IntelliProfile, PerformaSure, Spotlight, StealthCollect, TOAD, Tag and Follow, Vintela Single Sign-on for Java, and vfoglight are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see http:// www.quest.com/legal/trademark-information.aspx. Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions Foglight contains some third party components. For a complete list, see the License Credits page in Foglight online help. Permissions Guide December 2012 Version 5.6.5
Managing SQL Server Database Systems Permissions Guide 3 Table of Contents Introduction to this Guide...4 About Quest Software, Inc.... 5 Contacting Quest Software... 5 Contacting Quest Support... 5 Foglight for SQL Server Cartridge Permissions...6 Configuring Privileges for the VMware Collector Agent... 7 Configuring Privileges on the VMware Virtual Infrastructure Client... 7 Configuring Privileges on the VMware vsphere Client... 7 Granting Permissions to SQL Server Users... 9 Instance-level Permissions... 10 Database-level Permissions... 10 Object-specific Permissions... 11 Running the Grant Permissions Script... 11 Index...14
Introduction to this Guide This Permissions Guide provides information and instructions about the various permission levels that can be granted for users of SQL Server 2000 and SQL Server 2005/2008, as well as instructions for manually running the Grant Permissions script. This guide is intended for SQL Server administrators.
Managing SQL Server Database Systems Permissions Guide 5 Introduction to this Guide About Quest Software, Inc. Established in 1987, Quest Software (Nasdaq: QSFT) provides simple and innovative IT management solutions that enable more than 100,000 global customers to save time and money across physical and virtual environments. Quest products solve complex IT challenges ranging from database management, data protection, identity and access management, monitoring, user workspace management to Windows management. For more information, visit www.quest.com. Contacting Quest Software Email Mail Web site info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to our Support Portal at http://www.quest.com/support. From our Support Portal, you can do the following: Retrieve thousands of solutions from our Knowledge Base Download the latest releases and service packs Create, update, and review Support cases View the Global Support Guide for a detailed explanation of support programs, online services, contact information, policies, and procedures. The guide is available at: http://www.quest.com/ support.
1 Foglight for SQL Server Cartridge Permissions Foglight for SQL Server can be used for granting persmissions on several levels. This document details the permissions that can be granted to users of SQL Server at each level, and instructs how to manually run the grant privileges script.
Managing SQL Server Database Systems Permissions Guide 7 Chapter 1 Foglight for SQL Server Cartridge Permissions Configuring Privileges for the VMware Collector Agent Starting with version 6.5.1, users of Quest vfoglight, Quest Software s solution for performance monitoring and management of virtual environments, can benefit from vfoglight for SQL Server Add-on, which provides light-weight monitoring of SQL Server instances running on VMware ESX servers. vfoglight for SQL Server Add-on is primarily targeted to assist database administrators, who need to investigate the share of SQL Server-related processes within the overall system workload. Prior to installing and configuring the vfoglight for SQL Server Add-on agent components, Foglight for SQL Server must have the appropriate credentials required for connecting to the VMware Collector agent, as described in the following sections: Configuring Privileges on the VMware Virtual Infrastructure Client on page 7 Configuring Privileges on the VMware vsphere Client on page 7 Configuring Privileges on the VMware Virtual Infrastructure Client To configure privileges for the Collector agent component credentials: 1 On the VMware Virtual Infrastructure client user interface, click the Administration button at the top of the screen. The Administration screen appears. 2 Right-click a role type and click Add. The Add Role dialog box appears. 3 Enter a name for the newly created role. 4 Enable the Read Only privilege. 5 Click OK. 6 On the VMware Virtual Infrastructure client user interface, click the Inventory button at the top of the screen. The Inventory screen appears. 7 Right-click Hosts and Clusters at the top left and click Assign Permissions. The Assign Permissions dialog box appears. 8 From the Assigned Role list, select the newly created role. 9 Click Add. Configuring Privileges on the VMware vsphere Client To configure privileges for the Collector agent component credentials: 1 On the home page, go to Inventory > Hosts and Clusters.
Managing SQL Server Database Systems Permissions Guide 8 Chapter 1 Foglight for SQL Server Cartridge Permissions Click here 2 Right-click the top (parent) host name on the top left and click Assign Permissions. Rightclick here The Assign Permissions dialog box appears.
Managing SQL Server Database Systems Permissions Guide 9 Chapter 1 Foglight for SQL Server Cartridge Permissions 3 Select the privilege Read-only from the Assigned Role section. 4 Click Add on the Users and Groups column. The Select Users and Groups dialog box appears. 5 Select the users and groups to be added to the newly created role. 6 Click OK. Granting Permissions to SQL Server Users Permissions are granted on several levels, as detailed in the following sections: Instance-level Permissions on page 10 Database-level Permissions on page 10
Managing SQL Server Database Systems Permissions Guide 10 Chapter 1 Foglight for SQL Server Cartridge Permissions Object-specific Permissions on page 11 Instance-level Permissions The following permissions are granted at the instance level: VIEW ANY DEFINITION VIEW SERVER STATE ALTER TRACE allows carrying out the following operations: Tracing a specific session the data retrieved by this operation is displayed on the SQL Activity > Sessions > Session Details > Session Trace pane Monitoring deadlocks the data retrieved by this operation is displayed on the SQL Activity > Deadlocks panel Database-level Permissions The following permissions are granted at the database level: CREATE USER the lowest permission level, which only allows accessing each database. db_datareader allows creating user-defined SQL queries for monitoring purposes, via the User-defined Collections global administration screen. For details, see User-defined Collections section in Foglight for SQL Server User Guide. db_ddladmin allows running DBCC commands for indexes. In the lack of such a permission, no data will be retrieved from the following collections: Database Index Density Vectors Database Index Details Database Index Histogram The data retrieved from these collections is displayed by clicking a specific row on the Databases > Indexes pane, as shown below.
Managing SQL Server Database Systems Permissions Guide 11 Chapter 1 Foglight for SQL Server Cartridge Permissions Object-specific Permissions The permissions listed below allow users holding them to access specific objects within the master and msdb databases: Execute allows accessing the following objects within the master database: xp_enumerrorlogs xp_readerrorlog Select allows accessing the following objects within the msdb database: log_shipping_monitor_primary log_shipping_monitor_secondary log_shipping_primaries log_shipping_secondaries sysalerts syscategories sysjobactivity sysjobs sysjobhistory dbm_monitor_data Running the Grant Permissions Script The file used for granting permissions manually, SQLServerGrantPrivilegesScript.sql, can be downloaded by clicking the link View script under the Instances table, accessible via one of the following methods:
Managing SQL Server Database Systems Permissions Guide 12 Chapter 1 Foglight for SQL Server Cartridge Permissions When running the automatic discovery wizard in the Instance Connectivity Settings screen ((see section Running the Database Discovery Wizard in the Foglight for SQL Server User Guide). View script link In the Connection Details global administration screen (see section Global Administration > Connection Details in the Foglight for SQL Server User Guide). View script link Important Running this file requires having sysadmin or securityadmin server role. To manually run the Grant Permissions script: 1 Open the SQLServerGrantPrivilegesScript.sql file in SQL Server Management Studio (SSMS). 2 Find the Select@LoginName =? section in the beginning of this file.
Managing SQL Server Database Systems Permissions Guide 13 Chapter 1 Foglight for SQL Server Cartridge Permissions 3 Replace the question mark with the login name to which the requested permissions are to be assigned. 4 Execute the script. 5 Repeat step 1 to step 4 for each instance to be monitored.
Managing SQL Server Database Systems Permissions Guide 14 Index C creating user-defined collections using db_datareader permission 10 D database-level permissions CREATE USER 10 db_datareader 10 db_ddladmin 10 from the automatic discovery wizard 12 from the connection details screen 12 running manually 12 support 5 T technical support 5 tracing a specific session using ALTERTRACE 10 I instance-level permissions ALTER TRACE 10 VIEW ANY DEFINITION 10 VIEW SERVER STATE 10 M master database accessing specific objects via the execute permission 11 monitoring deadlocks using ALTERTRACE 10 msdb database accessing specific objects via the select permission 11 O object-specific permissions execute 11 select 11 R running DBCC commands using db_ddladmin permission 10 S SQLServerGrantPrivilegesScript.sql file downloading