August 17, 2010 at 8:40 am
I have to convince our DBAs to GRANT SHOWPLAN in the databases I work in, they seem leery because of the 'security note' in BOL, which seems like more of a CYA than anything to me -
Security Note
Users who have SHOWPLAN, ALTER TRACE, or VIEW SERVER STATE permission can view queries that are captured in Showplan output. These queries may contain sensitive information such as passwords. Therefore, we recommend that you only grant these permissions to users who are authorized to view sensitive information, such as members of the db_owner fixed database role, or members of the sysadmin fixed server role. We also recommend that you only save Showplan files or trace files that contain Showplan-related events to a location that uses the NTFS file system, and that you restrict access to users who are authorized to view sensitive information.
Seems like it's saying that if I picked up a .sqlplan for somebody else's query that had sensitive info in it, I could see it. Duh.
I have datareader_only on the db's in question, so I can see everything in the db already anyway, I'm not seeing the downside here. I've had them add before, but they revoked recently.
It's one of those things that I don't need all the time, but when I'm trying to actually improve, it'd be nice to be able to tell just what the heck I'm doing wrong...
Any advice appreciated, am I missing something, and there's a legitimate concern here?
Thanks,
Jon
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
August 17, 2010 at 9:01 am
but if its secured connection which is connecting to database then i dont think reading matters that much. They have no permisssion to modify it.
Correct me if I am wrong.
----------
Ashish
August 17, 2010 at 9:13 am
IF there are queries / statements being executed that have the password in them then that is what they should be focusing on, not keeping you from seeing the execution plan.
Here's an idea. Get them to agree that you need this ability to do your job. Pretty much a no brainer. Then get them to agree that they will provide you with what you need every time you need it within a reasonable time period, say 30 minutes. Start firing queries over to them and see how long the restriction lasts. :hehe:
David
@SQLTentmaker“He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply