Securing Access To SQL Agent

  • Hi All,

    Just wondering if anyone has any ideas on how I can secure the SQL Agent without using one of the fixed roles?

    The scenario is that I want our software developers to customize the access the dev team has to the SQL Server Agent. I want them to be able to view jobs, view the job history, and to be able to start and stop jobs. I don't want them to be able to alter or add any new jobs to the agent.

    Playing around with the three fixed roles and they all allow new jobs to be added to the system. I was hoping to create a custom role which would restrict the developers down to the permissions I mentioned above. The script I was using looked like this:

    [use msdb]

    create role SQLAgentDeveloperRole

    grant select on dbo.sysjobs_view to SQLAgentDeveloperRole

    grant select on dbo.syscategories to SQLAgentDeveloperRole

    grant select on sysschedules_localserver_view to SQLAgentDeveloperRole

    grant execute on sp_help_category to SQLAgentDeveloperRole

    grant execute on sp_help_job to SQLAgentDeveloperRole

    grant execute on sp_help_jobactivity to SQLAgentDeveloperRole

    grant execute on sp_help_jobcount to SQLAgentDeveloperRole

    grant execute on sp_help_jobhistory to SQLAgentDeveloperRole

    grant execute on sp_help_jobhistory_full to SQLAgentDeveloperRole

    grant execute on sp_help_jobhistory_sem to SQLAgentDeveloperRole

    grant execute on sp_help_jobhistory_summary to SQLAgentDeveloperRole

    grant execute on sp_help_jobs_in_schedule to SQLAgentDeveloperRole

    grant execute on sp_help_jobstep to SQLAgentDeveloperRole

    grant execute on sp_help_jobsteplog to SQLAgentDeveloperRole

    grant execute on sp_help_jobschedule to SQLAgentDeveloperRole

    grant execute on sp_help_jobserver to SQLAgentDeveloperRole

    grant execute on sp_help_operator to SQLAgentDeveloperRole

    grant execute on sp_help_proxy to SQLAgentDeveloperRole

    grant execute on sp_check_for_owned_jobs to SQLAgentDeveloperRole

    grant execute on sp_check_for_owned_jobsteps to SQLAgentDeveloperRole

    grant execute on sp_help_schedule to SQLAgentDeveloperRole

    grant execute on sp_start_job to SQLAgentDeveloperRole

    grant execute on sp_stop_job to SQLAgentDeveloperRole

    This approach works but then the SQL Server Agent node disappears from management studio (which makes it a tad bit hard for the devs to view the jobs!). Does anyone have any ideas on how to solve this?

    Cheers,

    Will

  • You could use the builtin SQLAgent roles and deny EXECUTE on msdb.dbo.sp_add_job

    -- Gianluca Sartori

  • Thanks mate you are a genius!

    Just doing some more testing but it's looking very promising. I've set deny on all add / drop / update procs in the SQLAgentUserRole and given a test account access to the SQLAgentOperatorRole. The user can see all jobs on the system, start / stop any jobs on the system, but can't make any changes to any of the jobs.

    I had a minor concern that it may lock the sysadmin accounts out adding / updating jobs but it all looks fine 🙂

    Cheers,

    Will

  • Be careful here... Depending on the role and functions, you may be better off using REVOKE instead of DENY.

    DENY overrides other permissions and will prevent access to the object/action in question.

    REVOKE simply removes the existing permission (irrespective of whether that permission was GRANTED or DENIED)

    Thanks,

    Jared

    Jared
    CE - Microsoft

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply