SSIS Catalog Folder Level Permissions verses Project Level Permissions

Question

SSIS Catalog Folder Level Permissions verses Project Level Permissions

HookSQLDBA7

SSChampion

Points: 10709
More actions
August 27, 2015 at 9:42 am

#320138

We are running SQL Server 2014 EE SP1.
Within the SSIS Catalog, it appears to me that the Project Level Permissions are overriding the Folder Level Permissions. First, I gave a developer Read and Create Object Permissions at the Folder Level and he deployed a Project from within Visual Studio. I removed the Create Object Permissions at the Folder Level and he was still able to deploy (redeploy) the project and modify it. Then I looked at the Project Level Permissions and saw that the Public Database Role was selected and had Read, Modify, Execute and Manage Permissions assigned. 1) Was he able to redeploy the Project because he originally deployed it? 2) Does the Project Level Permissions override the Folder Level Permissions?
To allow a developer to deploy from within Visual Studio, I grant them Create Object Permission at the Folder Level. This appears to work. 3) Now, I am wondering if I remove the Public Database Role's Modify Permission (at Project Level) would he still be able to deploy? (I will try to test this myself also.)
Thanks in advance.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply

HookSQLDBA7 SSChampion Points: 10709 More actions · Answer 1

Just looking for some more information on my original post. It does look like if I just add the developer's windows group to the SSISDB without giving them any permissions, then in the Integration Services Catalog give the developer's windows group Read and Read Object at the Folder Level that at this point, the developers should be able to see the project and the packages but not modify or execute them.

I noticed at the Project Level (on the Project Properties Screen) of a project deployed by a developer via Visual Studio, it shows the Public Database role assigned with the following permissions: Read, Modify, Execute and Manage Permissions. Why is the Public Database role assigned within the SSISDB Catalog? Is this because the developer's windows group automatically is a member of the Public Database Role?

I noticed at the Project Level (on the Project Properties Screen) of a project deployed by myself (the DBA) within SSMS, it shows the dbo user assigned with the following permissions: Read, Modify, Execute and Manage Permissions.

The goal is to allow our developer's to only be able to see the folders and projects; not modify or execute anything.

Thanks for any input.