Answered by:
Policy based management : what rights do ##MS_PolicyTsqlExecutionLogin## need

Question
-
Hi,
In order to run Policies on scheduled basis, what permissions should I grant to ##MS_PolicyTsqlExecutionLogin## login?
Problem is: When I evaluate the policies myself, they dont fail, but when I schedule them, they fail reporting ##MS_PolicyTsqlExecutionLogin## login doesn't have access to <> database.
Any help please?Thursday, February 11, 2010 8:06 PM
Answers
-
I got the following answer from the Policy Based management (PBM) team expert:
“Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.
For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.
If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”
I hope this information helps,
-Raul Garcia
SDE/T
SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:22 AM
Monday, February 15, 2010 6:08 PM -
Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.
Thanks, Leks- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:23 AM
Thursday, February 11, 2010 10:07 PM
All replies
-
Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.
Thanks, Leks- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:23 AM
Thursday, February 11, 2010 10:07 PM -
I got the following answer from the Policy Based management (PBM) team expert:
“Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.
For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.
If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”
I hope this information helps,
-Raul Garcia
SDE/T
SQL Server Engine
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed as answer by Raul Garcia - MSMicrosoft employee Monday, February 15, 2010 6:09 PM
- Marked as answer by Xiao-Min Tan – MSFT Friday, February 19, 2010 5:22 AM
Monday, February 15, 2010 6:08 PM