grant permissions to view SQL Server agent.

  • striker-baba

    SSCrazy

    Points: 2169

    Hi all,

    I am not able to see the sql server agent.

    But, when I login as a sysadmin I am able to see.

    Can anyone help me on how to provide read access to sql server agent

    so that when I logon as a datareader I need to be able to view SQLserver agent.

    Only read or view permissions.

    Thanks .

  • spaghettidba

    SSC Guru

    Points: 105661

    You have to be member of some fixed database roles in msdb to see sql agent.

    See here:

    http://msdn.microsoft.com/en-us/library/ms188283.aspx

  • striker-baba

    SSCrazy

    Points: 2169

    Ok. I just need viewable permissions on the sql agent.

    So, what role would be the best to grant least permissions

    so that user can only be able to view the sql server agent and cannot make any changes to other jobs or schedules.

  • spaghettidba

    SSC Guru

    Points: 105661

    SQLAgentUserRole is the least privileged of the SQL Server Agent fixed database roles.

    It still can start/stop jobs, but owned ones only.

  • striker-baba

    SSCrazy

    Points: 2169

    Ok.

    I configured it to SQLAgentReader Role.

    and do you think we have any major difference between

    SQLAgentUserRole and SQLAgentReader

  • spaghettidba

    SSC Guru

    Points: 105661

    It's explained in detail in the BOL page I posted.

    SQLAgentReaderRole has some more privileges than SQLAgentUserRole.

  • jcmcgovern

    SSC Veteran

    Points: 236

    All these look great. But how can I deny users execute, update, delete.... and only have viewing of the jobs?

  • spaghettidba

    SSC Guru

    Points: 105661

    Grant the SQLAgentReaderRole and set the job owner to a different user.

    That way, users can only see the jobs, but cannot start/stop/modify them.

  • jcmcgovern

    SSC Veteran

    Points: 236

    All I need now is to not allow updates to existing jobs

    Any ideas?

    USE msdb;

    CREATE ROLE JobsViewer AUTHORIZATION db_securityadmin;

    GO

    use msdb

    EXECUTE sp_addrolemember 'JobsViewer', 'johntest1'

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_job TO JobsViewer

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobserver TO JobsViewer

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobstep TO JobsViewer

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_update_job TO JobsViewer

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_add_jobschedule TO JobsViewer

    DENY EXECUTE ON OBJECT::msdb.dbo.sp_delete_job TO JobsViewer

  • Welsh Corgi

    SSC Guru

    Points: 116520

    I know this is an old post but I have to Grant an individual permission to manage SQL Server Jobs.

    That is Create, Modify Drop, etc.

    Do I need to create a credential and a Proxy to do this?

    Thanks.

    For better, quicker answers on T-SQL questions, click on the following...
    http://www.sqlservercentral.com/articles/Best+Practices/61537/

    For better answers on performance questions, click on the following...
    http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

  • spaghettidba

    SSC Guru

    Points: 105661

    No, credentials and proxy are for execution, not for managing the jobs.

    The builtin roles are for managing jobs. Set the owner of the job to the user you need to manage it, then assign the owner to one of the builtin sqlAgent roles.

  • Welsh Corgi

    SSC Guru

    Points: 116520

    They need to be able to create Jobs.

    I tried assigning Fixed Database Rolls but that did not work.

    For better, quicker answers on T-SQL questions, click on the following...
    http://www.sqlservercentral.com/articles/Best+Practices/61537/

    For better answers on performance questions, click on the following...
    http://www.sqlservercentral.com/articles/SQLServerCentral/66909/

Viewing 12 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply