April 16, 2008 at 2:50 am
I hope somebody can help.
We're in the process of putting in a managed intrusion detection solution, and part of the method used to collect the SQL trace logs is the function:
fn_trace_gettable
I'm not about to give out credentials to a login that's in the SysAdmin role on all our production servers to a third party, so is there any way of granting permissions to just the fn_trace_... functions?
--------
[font="Tahoma"]I love deadlines. I like the whooshing sound they make as they fly by. -Douglas Adams[/font]
April 16, 2008 at 3:10 am
I believe in SQL 2000, you require sysadmin to use that function, and I don't think there's any way around it.
In SQL 2005, the ALTER TRACE permission was added so that non-sysadmins could use profiler and the profiler-related functions, but that doesn't help you much.
Sorry.
Can you maybe set up jobs to import the trace data? Then the jobs can run as sysadmin and you won't have to give out any credentials.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
April 16, 2008 at 3:29 am
Thanks for the quick reply, although that is bad news.
I will check with the company who will be collecting the logs (VeriSign), but I think the appliance that does the collecting is hardware, and altering how it does this probably isn't possible.
I suspect some thinking outside the box may be in order... Maybe if they give only us the ability to set these collector jobs up without the need to divulge the passwords, or we set up a secure SQL 2005 instance and copy all trace files from all servers to the one machine...
Thanks again for your help.
--------
[font="Tahoma"]I love deadlines. I like the whooshing sound they make as they fly by. -Douglas Adams[/font]
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply