none
Policy based management : what rights do ##MS_PolicyTsqlExecutionLogin## need RRS feed

  • Question

  • Hi,

    In order to run Policies on scheduled basis, what permissions should I grant to ##MS_PolicyTsqlExecutionLogin## login?

    Problem is: When I evaluate the policies myself, they dont fail, but when I schedule them, they fail reporting ##MS_PolicyTsqlExecutionLogin## login doesn't have access to <> database.

    Any help please?
    Thursday, February 11, 2010 8:06 PM

Answers

  •   I got the following answer from the Policy Based management (PBM) team expert:

    Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.

      For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.

      If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”

    I hope this information helps,

    -Raul Garcia
      SDE/T
      SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, February 15, 2010 6:08 PM
    Moderator
  • Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.


    Thanks, Leks
    Thursday, February 11, 2010 10:07 PM

All replies

  • Here is a link on it http://blogs.msdn.com/sqlpbm/ and go through the SECURITY page on the link.


    Thanks, Leks
    Thursday, February 11, 2010 10:07 PM
  •   I got the following answer from the Policy Based management (PBM) team expert:

    Automatic PBM policy evaluation is done through a set of provisioned principles. For policies with T-SQL scripts (that is, policies using the ExecuteTSQL() function), they are evaluated under the ##MS_PolicyTsqlExecutionLogin## login context.

      For security reason, that login is granted minimal privilege by default. In order to allow automated evaluation of a policy with TSQL script, the login ##MS_PolicyTsqlExecutionLogin## needs to have sufficient READ privilege to the data referred to in the TSQL script in the policy condition.

      If you want to allow arbitrary policies with T-SQL scripts to be automatically evaluated, practically you will need to grand SA privilege to that login.”

    I hope this information helps,

    -Raul Garcia
      SDE/T
      SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, February 15, 2010 6:08 PM
    Moderator