This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Policy based management : what rights do ##MS_PolicyTsqlExecutionLogin## need

Question
0

Sign in to vote

Hi,

In order to run Policies on scheduled basis, what permissions should I grant to ##MS_PolicyTsqlExecutionLogin## login?

Problem is: When I evaluate the policies myself, they dont fail, but when I schedule them, they fail reporting ##MS_PolicyTsqlExecutionLogin## login doesn't have access to <> database.

Any help please?

Thursday, February 11, 2010 8:06 PM

Answers

1

Sign in to vote
I got the following answer from the Policy Based management (PBM) team expert:

“Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.

For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.

If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”

I hope this information helps,

-Raul Garcia
SDE/T
SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.
- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:22 AM
Monday, February 15, 2010 6:08 PM
0

Sign in to vote
Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.
Thanks, Leks
- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:23 AM
Thursday, February 11, 2010 10:07 PM

All replies

0

Sign in to vote
Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.
Thanks, Leks
- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:23 AM
Thursday, February 11, 2010 10:07 PM
1

Sign in to vote
I got the following answer from the Policy Based management (PBM) team expert:

“Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.

For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.

If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”

I hope this information helps,

-Raul Garcia
SDE/T
SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.
- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:22 AM
Monday, February 15, 2010 6:08 PM