Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Kristen
Test
22859 Posts |
 Posted - 2012-03-02 : 08:46:48
|
| If I want to run a SQL Job without it being allowed to accidentally update the wrong database, or do anything else that the 3rd party who's application we have installed should NOT be doing, what's the drill for that?Setting up a RUN AS user in SQL Agent Scheduled Task seems like a significant undertaking.Or do I rely on the fact that the SQL Agent task is just running an Sproc, and that Sproc was created using the permissions allocated to the "Admin" account for the 3rd party App. and thus will be constrained to only whatever that is capable of / permitted to use/do. |
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2012-03-02 : 11:24:25
|
| If it's just executing a proc, why not just inspect the proc? Or will it change from time to time? |
 |
|
|
Kristen
Test
22859 Posts |
Posted - 2012-03-02 : 18:08:46
|
| Yes, I can check the Sproc. It might change. That would be fine.But mainly I'd feel more comfortable if I knew that it was running in a controlled environment and then the 3rd Party folk can do what they like (its their application :) ). I just don't want them, by accident or e.g. a disgruntled employee, to run riot over databases they don't need to have access to. |
|
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2012-03-02 : 21:38:58
|
| Can you run it from task scheduler instead, with an account with limited permissions?(yeah, I know, adds another thing to monitor)Or an SSIS package that calls the proc, but the connection manager uses an account with limited permissions...?PITA huh? |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2012-03-03 : 04:56:30
|
Yup, any of those is fine, ta. Not ideal though.quote:
Originally posted by russell
PITA huh?
Yeah, but only because I was assuming this was a normal request and there would be a simple way to take care of it!Could I go down the RUN AS route (in SQL Agent Scheduler) and create the Certificates and all that jazz?Or is that there to solve a different type of problem? |
|
|
|
Sachin.Nand
2937 Posts |
Posted - 2012-03-03 : 10:47:08
|
| Just run the job under a proxy account.That will take care of most of the things.After Monday and Tuesday even the calendar says W T F .... |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2012-03-03 : 16:25:56
|
quote:
Originally posted by Sachin.Nand
Just run the job under a proxy account
TO set up a Proxy I need a Certificate, and all that?Or is there an easier way?First time I've done it, sorry for numptie question |
|
|
|
Sachin.Nand
2937 Posts |
|
|
Kristen
Test
22859 Posts |
Posted - 2012-03-04 : 03:32:40
|
| That sounds like what I was looking for, thanks I'll give it a bash |
|
|
|
|
|
|
|
|
Running a SQL Agent job with restricted permission