Minimal permission to stop a SSIS execution from Active Operations dashboard?

Question

Post reply

Minimal permission to stop a SSIS execution from Active Operations dashboard?

Eric M Russell

SSC Guru

Points: 125561
More actions
February 7, 2024 at 4:07 pm

#4374867

What is the minimal permission to allow a user (who is not a member of the SYSADMIN or SSIS_ADMIN role) to stop a SSIS operation using the [stop] command button on the Active Operations dashboard?
This would be similar to the SQLAgentOperatorRole for SQLAgent - except for SSIS operations.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply

Ant-Green SSC Guru Points: 113507 More actions · Answer 1

Does db_ssisoperator not give the right access for that?

frederico_fonseca SSCoach Points: 16154 More actions · Answer 2

https://learn.microsoft.com/en-us/sql/integration-services/system-stored-procedures/catalog-stop-operation-ssisdb-database?view=sql-server-ver16

requires SSIS_ADMIN - which grants why too much power and can allow a user to elevate itself to sysadmin

Eric M Russell SSC Guru Points: 125561 More actions · Answer 3

db_ssisadmin, db_ssisltduser, and db_ssisoperator roles only exist in MSDB and apply to the legacy SSIS deployment model.

In SSISDB, the options are: ssis_admin and ssis_logreader, so it seems the solution is some type of granular permission.

I tried the following, but still didn't work.

 GRANT EXECUTE ON catalog.stop_operation TO [DomainName\GroupName];

Googling doesn't turn up anything helpful, as if most folks either grant SSIS_ADMIN or simply don't have a need for an operator type role to manage SSIS executions.

"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Eric M Russell SSC Guru Points: 125561 More actions · Answer 4

frederico_fonseca wrote:

https://learn.microsoft.com/en-us/sql/integration-services/system-stored-procedures/catalog-stop-operation-ssisdb-database?view=sql-server-ver16
requires SSIS_ADMIN - which grants why too much power and can allow a user to elevate itself to sysadmin

This looks like maybe, but also complicated to figure out.

https://learn.microsoft.com/en-us/sql/integration-services/system-stored-procedures/catalog-grant-permission-ssisdb-database?view=sql-server-ver16

"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

Emperor100 SSCrazy Points: 2173 More actions · Answer 5

Eric:

Check this link if this helps, may be at a granular level:

https://www.mssqltips.com/sqlservertip/3153/managing-ssis-security-with-database-roles/

what happens if you deny EXECUTE OBJECTS?

=======================================================================