I have searched for days, and i really need help.
We have some devs who I need to allow them ability to support production crises. This is an interim solution until we get them trained on testing, source control, deployment procedures, TFS and suchlike. Up until now it has been a prod-only development pattern. Changes are being made on the sly to "fix" items and then they break...same old story.
We'd like to write a stored proc that will temporarily grant them the equivalent of admin rights on an as-needed basis, with the understanding we will be tracking all changes, emailing entire team, and removing access after x hours. I can do this easily IF I knew which bloody rights to grant and DENY.
I want them to be able to:
remote to box (already can, and can get to SSIS as well)
get an ssis package from msdb, export it to a folder on the prod box, open it, run in debug, fix some crap, run it.
BUT NOT TO DEPLOY it back to msdb, where all packages live. We will do that ourselves as it comes up.
view sql agent jobs, steps, disable steps, rerun steps etc. no real restrictions there. yet.
query, alter,exec, create all other db objects (again, this is temporary)
It seems I need to grant admin or dtsoperator, but I cant figure out how to deny the deployment of a package to msdb.