January 9, 2017 at 8:41 pm
Comments posted to this topic are about the item Killing Statistics Jobs
January 10, 2017 at 1:33 am
Thought I had this right, but like so many others actually got it wrong.
January 10, 2017 at 2:56 am
Permissions
--------------------------------------------------------------------------------
User must have VIEW SERVER STATE permission to access information from the sys.dm_exec_background_job_queue dynamic management view.
KILL STATS JOB permissions default to the members of the sysadmin and processadmin fixed database roles and are not transferable.
...to me this indicates that the sensible thing to do is (i) grant VIEW SERVER STATE plus (ii) add processadmin role.
Adding sysadmin sounds a bit like overkill, but OK, it will do the job, and VIEW SERVER STATE may not be technically necessary, while in practice ...
January 10, 2017 at 4:58 am
I must be misreading the reference information.
Permissions
User must have VIEW SERVER STATE permission to access information from the sys.dm_exec_background_job_queue dynamic management view.
KILL STATS JOB permissions default to the members of the sysadmin and processadmin fixed database roles and are not transferable.
To me that says, you can be a member of either the sysadmin or the processadmin role, not both are required.
This would mean there are 2 correct answers to this QOTD.
VIEW SERVER STATE + sysadmin
VIEW SERVER STATE + processadmin
January 10, 2017 at 6:11 am
I got it wrong as well. I thought it would be process admin + view server state. Of course, sysadmin would do it, but doesn't need anything else. Since the question said to pick 2, I figured sysadmin would have been a gimme and stand alone.
January 10, 2017 at 6:30 am
Ditto to processadmin and view server state. sysadmin isn't needed and should be avoided.
MG
"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies."
Tony Hoare
"If you think it's expensive to hire a professional to do the job, wait until you hire an amateur." Red Adair.
January 10, 2017 at 6:37 am
Both sysadmin and processadmin roles have VIEW SERVER STATE rights anyway, so that option is redundant. (see https://msdn.microsoft.com/en-us/library/ms188659(v=sql.130).aspx#Permissions of Fixed Server Roles for a nice graphic.)
The question was unclear in that "choose 2" could mean "choose two answers, both of which are required", or "choose two answers, either of which will work".
However, given that VIEW SERVER STATE is redundant to the two other possible correct answers, and none of the other answers make sense, one could reasonably assume that "choose 2" in this case means "choose two answers, either of which will work".
January 10, 2017 at 9:52 am
The question was "... What can I do? (choose 2)."
Not must, or should, but can. You don't need View Server State to kill the jobs. This is required to view what's happening on the instance, but not kill the jobs.
You can grant processadmin, or you can grant sysadmin. Either of those allow the login to kill a job.
January 10, 2017 at 10:27 am
Had a feeling I would get this one wrong. 🙂 It makes perfect sense that view server state would be redundant. Think I need more coffee! Thanks Steve.
January 10, 2017 at 10:29 am
sknox (1/10/2017)
Both sysadmin and processadmin roles have VIEW SERVER STATE rights anyway, so that option is redundant. (see https://msdn.microsoft.com/en-us/library/ms188659(v=sql.130).aspx#Permissions of Fixed Server Roles for a nice graphic.)The question was unclear in that "choose 2" could mean "choose two answers, both of which are required", or "choose two answers, either of which will work".
However, given that VIEW SERVER STATE is redundant to the two other possible correct answers, and none of the other answers make sense, one could reasonably assume that "choose 2" in this case means "choose two answers, either of which will work".
What CAN you do? The correct answer is start looking for another job because no self respecting DBA would allow anyone but another DBA to do such a thing and that DBA should have the same privs as me. 😉
--Jeff Moden
Change is inevitable... Change for the better is not.
January 10, 2017 at 3:53 pm
I thought process admin in the choices was a deliberate typo. It's shown as processadmin (no space) in the msdn article
https://msdn.microsoft.com/en-us/library/ms180016.aspx. So I picked sysadmin and VIEW SERVER STATE permission, and was wrong...
Permissions
--------------------------------------------------------------------------------
User must have VIEW SERVER STATE permission to access information from the sys.dm_exec_background_job_queue dynamic management view.
KILL STATS JOB permissions default to the members of the sysadmin and processadmin fixed database roles and are not transferable.
January 12, 2017 at 11:09 am
dstrickrott - Tuesday, January 10, 2017 3:53 PMI thought process admin in the choices was a deliberate typo. It's shown as processadmin (no space) in the msdn articlehttps://msdn.microsoft.com/en-us/library/ms180016.aspx. So I picked sysadmin and VIEW SERVER STATE permission, and was wrong...Permissions--------------------------------------------------------------------------------User must have VIEW SERVER STATE permission to access information from the sys.dm_exec_background_job_queue dynamic management view.KILL STATS JOB permissions default to the members of the sysadmin and processadmin fixed database roles and are not transferable.
No, apologies for that. Typo fixed. This role is one word.
January 12, 2017 at 1:22 pm
Steve Jones - SSC Editor - Thursday, January 12, 2017 11:09 AMdstrickrott - Tuesday, January 10, 2017 3:53 PMI thought process admin in the choices was a deliberate typo. It's shown as processadmin (no space) in the msdn articlehttps://msdn.microsoft.com/en-us/library/ms180016.aspx. So I picked sysadmin and VIEW SERVER STATE permission, and was wrong...Permissions--------------------------------------------------------------------------------User must have VIEW SERVER STATE permission to access information from the sys.dm_exec_background_job_queue dynamic management view.KILL STATS JOB permissions default to the members of the sysadmin and processadmin fixed database roles and are not transferable.No, apologies for that. Typo fixed. This role is one word.
Thanks for the correction Steve.
January 16, 2017 at 12:10 am
This was removed by the editor as SPAM
January 16, 2017 at 5:13 am
Steve Jones - SSC Editor - Tuesday, January 10, 2017 9:52 AMThe question was "... What can I do? (choose 2)."Not must, or should, but can. You don't need View Server State to kill the jobs. This is required to view what's happening on the instance, but not kill the jobs.You can grant processadmin, or you can grant sysadmin. Either of those allow the login to kill a job.
yes, fine, but some people read the question as asking to name two things such that if you do both of them you'll get the desired result. I definitely CAN get someone the ability to use KILL STATS JOB by both giving them VIEW SERVER STATE permission and making them a member of the processadmin role, and specifically because VIEW SERVER STATE is included in processadmin that is the best way to do it if you are going to do two things because you are not granting too much as you would be if instead of granting that permission you granted something that wasn't included in the processadmin role. So I think the qestion would have been much better if it had had clear and unambiguous wording, not just "what can I do".
Besides, isn't it about 5 years now since Microsoft told us we should stop using fixed server roles and start granting more specific permissions? And even without that advice I would regard someone who handed out sysadmin privilege just to enable someone to delete stats jobs as a positive danger to security.
Tom
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply