Benchmark IT Consulting » SQLAgentReaderRole http://benchmarkitconsulting.com My Thoughts on SQL Server and anything else I can think of... Tue, 07 Sep 2010 19:46:54 +0000 en hourly 1 http://wordpress.org/?v=3.0 Creating a REAL SQLAgentReaderRole http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/creating-a-real-sqlagentreaderrole/ http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/creating-a-real-sqlagentreaderrole/#comments Wed, 21 Jan 2009 20:37:41 +0000 Colin Stasiuk http://benchmarkitconsulting.com/?p=344 So if you follow me blog you will probably remember this post from earlier today:

http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/sqlagentreaderrole-not-so-reader/

Below is the solution I’m working with to give developers access to the Job Activity Monitor but NOT the ability to create new jobs.

I know adding a role to a system database is not ideal but I’m open to other suggestions :)


USE [msdb]
GO
CREATE ROLE [SQLAgentReadOnlyRole] AUTHORIZATION [dbo]
GO
EXEC sp_addrolemember N'SQLAgentReaderRole', N'SQLAgentReadOnlyRole'
GO
DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_job TO SQLAgentReadOnlyRole
DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobserver TO SQLAgentReadOnlyRole
DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobstep TO SQLAgentReadOnlyRole
DENY EXECUTE ON OBJECT::msdb.dbo.sp_update_job TO SQLAgentReadOnlyRole
DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobschedule TO SQLAgentReadOnlyRole

So after you create your new SQLAgentReadRoleRole you can add role members to it and they will be able to view the Job Activity Monitor but will not be able to create new jobs… use at your own risk as like I said… I’m still working with it but this is the direction I’m heading right now.

If anyone has a more elegant solution I’d be very interested in seeing it.

Post to Twitter Post to Delicious Post to Digg Post to StumbleUpon

]]> http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/creating-a-real-sqlagentreaderrole/feed/ 4 SQLAgentReaderRole – not so reader? http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/sqlagentreaderrole-not-so-reader/ http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/sqlagentreaderrole-not-so-reader/#comments Wed, 21 Jan 2009 18:31:01 +0000 Colin Stasiuk http://benchmarkitconsulting.com/?p=342 Quick… how do you give someone read only access to the Job Activity Monitor?

Why you grant them SQLAgentReaderRole access in msdb…. WRONG

http://technet.microsoft.com/en-us/library/ms188283.aspx

The SQLAgentReaderRole is a reader role for the jobs that currently exist but wait here is where the good (or bad depending on if you’re in a good mood or not) part comes in.

Me – “Hey Mr Developer I made this change in UAT you should now be able to view the job activity monitor… just for my own curiousity I’m going to come by can you try to execute, delete, update jobs that are there.  ”

Mr Developer – “nope… can’t do anything like that”

Me – “Great… can you create a new job”

Mr Developer – “Yup”

Me – ” *sigh* I hate (and by hate I mean it in a love/hate kinda way) Microsoft

That’s right folks… SQLAgentReaderRole can create jobs.  So although it’s called SQLAgentReaderRole be careful granting this access cause whomever you add to this role can create new jobs.

UPDATE will come if/when I find or create a usable solution

Post to Twitter Post to Delicious Post to Digg Post to StumbleUpon

]]> http://benchmarkitconsulting.com/colin-stasiuk/2009/01/21/sqlagentreaderrole-not-so-reader/feed/ 0