How to set/change permissions on server side trace files?

  • I created a couple of "light weight" server side traces but the files seem created with very unfriendly permissions.
    In order to read the file, I need to take ownership, change permissions, or copy the file, all of which is inconvenient.

    How can I choose the default permissions on these trace files?

  • Likely the easiest solution would be to set the permissions you need on the parent folder and enable inheritance of the permissions.

    BUT depending on where your trace files are going, if there are other files besides the trace in that folder, you could introduce new problems or potential security holes.  Your best bet would be to create a dedicated folder for the trace to put its files in, set the permissions and inheritance on that folder, and go.

    If you have a security team / person, I'd also suggest checking with them about this, just to play it safe.

  • I tried but did not succeed...

    my traces are going to a folder Z:\SQLTraces
    I disabled inheritance on the folder |:\SQLTraces, then set the permission on it to everyone Read/Execute

    Yet, when files are created in there by SQL Server, I have to take ownership one file at a time...

    It looks like the files are created with a very strict (lack of) permissions.

  • Eric Mamet - Thursday, May 3, 2018 10:24 AM

    I tried but did not succeed...

    my traces are going to a folder Z:\SQLTraces
    I disabled inheritance on the folder |:\SQLTraces, then set the permission on it to everyone Read/Execute

    Yet, when files are created in there by SQL Server, I have to take ownership one file at a time...

    It looks like the files are created with a very strict (lack of) permissions.

    You would want inheritance enabled so that the files that get created in that folder inherit the same permissions from the folder. 

    Sue

  • No way to set specific permission to trace files, permission for trace files are not inherited from folder, it is the same behaviour like for DB files.

    https://blogs.msdn.microsoft.com/psssql/2008/06/25/how-it-works-trace-trc-file-security/

  • e4d4 - Thursday, May 3, 2018 2:05 PM

    No way to set specific permission to trace files, permission for trace files are not inherited from folder, it is the same behaviour like for DB files.

    https://blogs.msdn.microsoft.com/psssql/2008/06/25/how-it-works-trace-trc-file-security/

    Sorry, I forgot about how it overwrites any inheritance. Thanks for the reminder on that.

    Sue

  • e4d4 - Thursday, May 3, 2018 2:05 PM

    No way to set specific permission to trace files, permission for trace files are not inherited from folder, it is the same behaviour like for DB files.

    https://blogs.msdn.microsoft.com/psssql/2008/06/25/how-it-works-trace-trc-file-security/

    Interesting, I'm wondering if it behaves the same with Audit files.

  • jasona.work - Thursday, May 3, 2018 5:05 PM

    e4d4 - Thursday, May 3, 2018 2:05 PM

    No way to set specific permission to trace files, permission for trace files are not inherited from folder, it is the same behaviour like for DB files.

    https://blogs.msdn.microsoft.com/psssql/2008/06/25/how-it-works-trace-trc-file-security/

    Interesting, I'm wondering if it behaves the same with Audit files.

    I was playing with it today - it looks like just the trace files as I can see the inheritance, permissions on the other file types. Interesting that extended events files have the permissions inherited from the folder.

    Sue

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply