SSIS Package Protection Level

  • Hi,

    I am in the process to promote in production a bunch of packages, after migrating form sql2000 to sql2005. I am wondering what is the simplest way to set the protection level for every package (DontSaveSensitive, EncryptAllWithPassword, EncryptAllWithUserKey, EncryptSensitiveWithPassword, EncryptSensitiveWithUserKey). I am planing to use the FileSystem deployment method for my packages.

    If a package call another package, what should be the protection level of the second package?

    I did some researches and this seems confusing, any information will be helpful.

    Thanks,

  • It depends on who will be executing the packages in production. If you use any of the ..UserKey protection levels, you'll be the only one who can execute them. Assuming the packages will be run in scheduled jobs, it'll be the SQL Agent account executing them. I've been using EcryptAllWithPassword and providing the password in the dtexec command in a job step.

    Note that the password is also required to edit the package in BIDS. I'd set a password for the child packages also.

    Greg

  • Thanks Greg for you reply.

    If I use "EcryptAllWithPassword" and providing the password in the dtexec command for the parent package, what do I need to do set it up for the child?

    Can the package be edited in BIDS by other user if they know the password?

    Thanks,

  • You'll need to set the protection level for each package as you edit and save them in BIDS. Then you provide the password in the ExecutePackage tasks in the master package.

    BIDS will prompt for the password when anyone attempts to open it for editing.

    Greg

  • When I set the protection level to "EcryptAllWithPassword", I am getting this when opening a package save with password:

    "Document contains one or more extremely long lines of text"

    Is this normal?

  • Yes. I get it all the time and ignore it with no problems.

    Greg

  • Thanks Greg for your help.

    I will work on it today, and let you know. Did you tried to use "EncryptSensitiveWithPassword" instead?

  • Hi Greg

    When I set the protection level to ""EcryptAllWithPassword", my colleagues can open the packages in BIDS, but the can't run the debug mode (the green play arrow in not "green") or modify the packages. How can we share packages between developers?

  • Hi Rem,

    Debug is only active for a project. It's disabled when you just edit a package file. Have your colleague create a new project then add the package to it. Then they should be able to debug.

    Greg

  • Hey Greg,

    You are right, I thought my colleague were trying to add the package to their project, but is was not the case.

    Did you tried to use "EncryptSensitiveWithPassword" instead? This work like "EncryptAllPassword"?

    As far and to run the packages via SQLAgent, can you use the gui and see the password when the window pop requesting the password or better to use an OperatingSystem command and use dtexec command?

    Many thanks,

    R

  • I haven't used EncryptSensitiveWithPassword, but as I understand it, the only difference is when the package is opened without the password, the sensitive information is blank.

    You can't see the password after you enter it in the job step, so I'd just go ahead and use the Integration Services step type.

    Greg

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply