February 7, 2024 at 4:07 pm
What is the minimal permission to allow a user (who is not a member of the SYSADMIN or SSIS_ADMIN role) to stop a SSIS operation using the [stop] command button on the Active Operations dashboard?
This would be similar to the SQLAgentOperatorRole for SQLAgent - except for SSIS operations.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 7, 2024 at 4:26 pm
Does db_ssisoperator not give the right access for that?
February 7, 2024 at 4:36 pm
requires SSIS_ADMIN - which grants why too much power and can allow a user to elevate itself to sysadmin
February 7, 2024 at 4:42 pm
db_ssisadmin, db_ssisltduser, and db_ssisoperator roles only exist in MSDB and apply to the legacy SSIS deployment model.
In SSISDB, the options are: ssis_admin and ssis_logreader, so it seems the solution is some type of granular permission.
I tried the following, but still didn't work.
GRANT EXECUTE ON catalog.stop_operation TO [DomainName\GroupName];
Googling doesn't turn up anything helpful, as if most folks either grant SSIS_ADMIN or simply don't have a need for an operator type role to manage SSIS executions.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 7, 2024 at 4:45 pm
https://learn.microsoft.com/en-us/sql/integration-services/system-stored-procedures/catalog-stop-operation-ssisdb-database?view=sql-server-ver16
requires SSIS_ADMIN - which grants why too much power and can allow a user to elevate itself to sysadmin
This looks like maybe, but also complicated to figure out.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
February 7, 2024 at 6:20 pm
Eric:
Check this link if this helps, may be at a granular level:
https://www.mssqltips.com/sqlservertip/3153/managing-ssis-security-with-database-roles/
what happens if you deny EXECUTE OBJECTS?
=======================================================================
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply