SQLServerCentral Article

Run an SSIS Package Under a Different Account

,

Recently, in a SSIS package, I needed to get some data from a SQL Server database which is used by a third party application. This application uses named user license. The ETLadmin account, which is a domain account that we use it to run SSIS packages, does not have the right permission to access views in that database even if it has sysadmin permission on that SQL Server instance. If we set ETLadmin to an application admin, this will waste an application admin license. And usually ETLadmin account should only have read permission to grab data. Application admin permission will be too much for this account. It will be nice if we can use an existing application admin user account to run the package. This can be done by using SQL Server Agent proxies.

Here are the steps to setup a proxy by using an existing application user account:

Create a credential using the account that having right access to the application database

  • Open SSMS, connect to the SQL Server instance that the SSIS will be scheduled to run
  • Go to Security - > Credentials, and click on 'New Credential...' to create a new credential

  • Enter the credential name - Enter the domain account, and password. Repeat the password in the 'Confirm password'. This account should have the right access to the application database.
  • Click 'ok' and the new credential should be listed.

Create a proxy using the credential created in the previous step

  • Right click SQL Server Agent -> Proxies, and select 'New proxy...'
  • Enter the new proxy name, and choose the credential that created from the previous step from the dropdown list. And check 'SQL Server Integration Services Package' under 'Active to the following subsystems'. The SQL Server Agent proxy can be activated for many sub systems (as listed in the screen shot). In this case we are only enabling it for SSIS packages.
  • Click 'OK' and the new proxy should be listed.

Setup a job to run the SSIS package using the proxy

  • Open the job step properties for the step that run the SSIS package
  • Select the proxy that created in the previous step from the 'Run as' dropdown list
  • Click 'OK' to save the change

Now you can run the package using the application account.

By using SQL Server Agent proxy, we can run jobs on different databases, different servers using existing accounts, and avoid giving excessive permission to ETL users or developers.

 

Rate

4.48 (31)

You rated this post out of 5. Change rating

Share

Share

Rate

4.48 (31)

You rated this post out of 5. Change rating