SQL Server: Minimal Permissions for External SQL Database setup.

Problem:

Customer would like to use the External SQL Database feature for Configuration and Batch Manager. You assist them with trying to complete a hard-coded connection string. The server cannot be found and/or you are not able to create a SQL Database.

Solution:

There are two criteria that are critical to a successful connection string, formatting and permissions.

  1. Open attached Document that shows a test example of Service Manager and SQL Server 2012 Management Studio. (SQL Management Diagram(Solution 166).zip)
  2. Notice how the connection string "Data Source=WORKMANDESKTOP\SQLEXPRESS" Directly matches the name of the Master Database. Ensure that whether you are testing or in a user's environment you are matching the Master Database for your Data Source.
  3. [3]I am using a hard-coded example to show you how you would implement the username into the connection string.
    1. To create a Login open SQL Server Management Studio 2012. 
    2. Select [Security][Logins][Right Click on Logins][New Login...].
    3. Select SQL Server authentication and create a login name and password. 
    4. Ensure to turn off the following options.
      1. Enforce Password Policy.
      2. User must change password at next login.
    5. Click OK.
    6. Once completed you should see the login name present under [Security][Logins]
  4. Next right click on the Master Database. [Properties][Permissions][Select Login Name][Explicit]
    1. Grant the Following permissions to the user you created in Main Step [3]
      1. ALTER ANY CONNECTION
      2. ALTER ANY CREDENTIAL
      3. ALTER ANY DATABASE
      4. CONNECT SQL(on by default)
      5. CREATE ANY DATABASE
      6. VIEW ANY DATABASE
      7. VIEW ANY DEFINITION(tables cannot be view within PSI:Capture without this option enabled)
  5. Once done switch over to Service Manager, double check your formatting of connection string, and press Save.
  6. Capture Service will now create the Configuration and Batch Manager based on the Initial Catalog name.

For more information on how to build connection strings and further instructions go to article below;

 

For users that want more restricted permission sets and do not allow so much wide open access to the Master Database I set up another test. This test is the closest to minimal permissions I could come up with and allowed me to both Test Connection and Migrate from the Migration module "Database".


I have setup a new user within SQL Management Studio 2012.

The user is called PSIGENTEST.

    Server roles are set to public only for the user PSIGENTEST.
    In order for me to connect the group Public must have the following permissions; View any database, View any Definition, Connect SQL.
    User mapping is set to the Database "Test Database"
    User mapping for master is set to Public for the user PSIGENTEST.
    PSIGENTEST only had the following permissions db_datawriter, db_datareader, and public for role membership for the database "Test Database".
    The only granted explicit permission to "Test Database" for the user PSIGENTEST is "Connect SQL" granted by dbo.
    The only granted explicit permission to the Master Database is set to "Connect SQL" granted by sa.


So if you right click on the user within Security in SSMS 2012 click properties, click on user mapping, map the user to the database of your choice, select db_datareader, db_datawriter, and public, right click on the master database to choose properties, select permissions, click on public server role(View any definition, View any Database, and Connect SQL granted by sa), click on the physical user and they should only have Connect SQL granted by sa,

With all that in place I was able to successfully test connection and migrate to the database mapped to the user.

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.