October 14, 2008 at 2:23 pm
Hi,
Is there a way to grant a SQL Server 2005 login permissions to run the SQL Server Profiler without granting the login the Server Role of “sysadmin”?
Thanks,
David
October 14, 2008 at 2:35 pm
You need ALTER TRACE permissions at the server level. Just be aware that this IS a SERVER level permission so any user you grant this to can trace ANY database.
Use master
Go
Grant Alter Trace to Login
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
October 14, 2008 at 9:01 pm
Thanks Jack!
February 19, 2012 at 7:22 am
If you use domain user try following syntax :
Use master
Go
Grant Alter Trace to [Domain\Username]
note: [ ] are important!
mehr
October 5, 2012 at 6:11 am
HI jack
other than giving sysadmin or using this script
-------------------------------------
Use master
Go
Grant Alter Trace to Login
-------------------------------------
1.if we give bulkadmin and public in server role and ddladmin,db_datareader,db_datawriter in database role also user can acess the sqlserver profiler on a particular database which they are having access
2. iam usingthis process when a application user asking to give access to run trace by sqlserver profiler
3. Is this correct or not ?
4. if it is correct is it safe
Thanks
Naga.Rohitkumar
October 5, 2012 at 6:54 am
naga.rohitkumar (10/5/2012)
HI jackother than giving sysadmin or using this script
-------------------------------------
Use master
Go
Grant Alter Trace to Login
-------------------------------------
1.if we give bulkadmin and public in server role and ddladmin,db_datareader,db_datawriter in database role also user can acess the sqlserver profiler on a particular database which they are having access
2. iam usingthis process when a application user asking to give access to run trace by sqlserver profiler
3. Is this correct or not ?
4. if it is correct is it safe
Naga,
According to BOL, the only permissions needed to run a trace (Profiler) are ALTER TRACE at the server level.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
October 5, 2012 at 10:16 pm
ya i too agree with u ALTER TRACE
but if we use default master the user can able to have access on all databases know
i mean it for running a profiler only to one or seleted databases
Thanks
Naga.Rohitkumar
October 6, 2012 at 10:20 am
naga.rohitkumar (10/5/2012)
ya i too agree with u ALTER TRACEbut if we use default master the user can able to have access on all databases know
i mean it for running a profiler only to one or seleted databases
Based on that, I have to ask... Why do you want to give a "user" privs to run SQL Profiler? Unless they have the ability to create a Server Side Trace (and I personally believe that no user should have that level of privs), a user could easily cripple the server by creating a client side trace.
To wit, I believe that no user should have more than PUBLIC privs on production databases and their access should be limited to only what they can return using a stored procedure that they've been given EXECUTE privs on.
--Jeff Moden
Change is inevitable... Change for the better is not.
October 8, 2012 at 7:35 am
naga.rohitkumar (10/5/2012)
ya i too agree with u ALTER TRACEbut if we use default master the user can able to have access on all databases know
i mean it for running a profiler only to one or seleted databases
This is not possible. A user must have ALTER TRACE permissions to run Profiler/Trace and this is a server level permission NOT a database level permission. Trace is designed to be used by DBA's for auditing and troubleshooting, it is NOT designed for regular user use.
As Jeff has said, "a user could easily cripple the server by creating a client side trace."
There are options that would allow you to make trace data available to users and even to allow users to start and stop and trace designed by you (not that I'm saying that this is a great option either).
You could setup a server side trace that filters on the specific database and put that script in a stored procedure that is certificate signed and allow users to run that stored procedure that creates and starts the trace (I'd put in controls that only allow this trace to be created once). Then have another signed procedure that calls fn_trace_gettable() to query the trace files.
Another option would be to have a server-side trace that you define and have running (not necessarily the best idea either), then have a process that asynchronously copies the trace data to a table and grant rights to that table.
Neither of those options are ideal, as traces do have impact on server performance, but both are better than just granting ALTER TRACE To users.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply