SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Users scheduling jobs


Users scheduling jobs

Author
Message
schleep
schleep
SSCrazy
SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)

Group: General Forum Members
Points: 2575 Visits: 1405
Is there a way to allow users to schedule a job that they don't own?

If I'm reading it right -- and I now think I maybe am not -- Books Online seems to suggest they should be able to create a schedule for a job they don't own, as long as they're members of the msdb SQLAgentOperatorRole DB role (in fact it looks like the SQLAgentUserRole should be able to do it, but...)

So I added my users' AD group / DB user to the SQLAgentOperatorRole DB role. But when I call sp_add_jobschedule, I get "Only members of sysadmin role are allowed to update or delete jobs owned by a different login." -- which is not what I'm trying to do, I just want to create a new schedule for the job.

I tried changing the owner to the AD group through which my users connect, but it doesn't allow Windows groups to be job owners, only user logins.

I also tried EXECUTE AS, but get permission problems, and I'm not sure I want to begin traveling the impersonation road.

Thanks for any help on this!



Erland Sommarskog
Erland Sommarskog
SSCarpal Tunnel
SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)

Group: General Forum Members
Points: 4914 Visits: 875
This article on my web site includes examples for a related problem - having users to start a specific job,
http://www.sommarskog.se/grantperm.html. Maybe it can serve as inspiration?

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)SSC Guru (63K reputation)

Group: General Forum Members
Points: 63459 Visits: 18570
Do the users need to be able to change the schedule of existing jobs or do they need to be able to kick off the job (some people refer to this as scheduling a job)?



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

schleep
schleep
SSCrazy
SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)SSCrazy (2.6K reputation)

Group: General Forum Members
Points: 2575 Visits: 1405
Hi Erland,

They only need to be able to create a new schedule for an existing job. Essentially, I want them to be able to call a stored proc at the time of their choosing.

I read your article -- very informative. I've added it to my bookmarks, right beside your article on dynamic SQL, to which I've referred many a time over the years.

So what I've done -- which works -- is:
1) Create the sproc in the user DB WITH EXECUTE AS SELF.
By my understanding, this should be me. But...
2) Grant execute to the DB group to which the the users belong.

Now, when I call the sproc using EXECUTE AS <one of the users>, and do a SELECT SUSER_SNAME(), it returns the database owner -- which is not me?? In the same query window, but outside the stored procedure, SELECT SUSER_SNAME() returns my account.

I also tried creating the sproc WITH EXECUTE AS 'Domain\database owner account', but I get an error, as that login does not explicitly exist - it's a member of an AD group that has sa privs. It's also the account under which the SQL Server service operates. I would have expected this to work, however.

Finally, I tried WITH EXECUTE AS 'Domain\my account', and this also works. I'm a member of the same AD group as the 'Domain\database owner account'. So I wonder now:
1) how come SELF <> me
2) why it doesn't work when I specify the 'Domain\database owner account'?



Erland Sommarskog
Erland Sommarskog
SSCarpal Tunnel
SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)SSCarpal Tunnel (4.9K reputation)

Group: General Forum Members
Points: 4914 Visits: 875
Keep in mind that the EXECUTE AS clause specifies a database user. I assume that you are a member of sysadmin. In that case, your login maps to dbo in the database.

For the same reason, it does not work to specify EXECUTE AS 'domain\databaseowner', because there is no such user in the database - or least I would not expect so. The login 'domain\databaseowner' maps to dbo.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search