Re: Security issue when running packages from SQL Agent.

• Previous message: Howard: "Re: SSL Tests"
• In reply to: GR: "Security issue when running packages from SQL Agent."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 31 Aug 2004 20:36:08 -0500

As Kevin said, only sysadmin role members can execute CmdExec steps by
default. Cross-database chaining is relevant only if you are executing
xp_cmdshell from a stored procedure in a user database.

You can allow non-sysadmin role member to execute CmdExec steps by
unchecking the 'only users with sysadmin privileges ...' check box in
Enterprise Manager under Management --> SQL Server Agemt --> Properties -->
Job System. You will then be prompted to specify a valid Windows account
for the SQL Server Agent proxy.

The main security consideration is that non-sysadmin users are limited only
by the Windows permissions of the proxy account. You'll need to ensure the
account has only the rights needed to perform the needed tasks, such as
creating files in a specific folder and limited SQL Server permissions (if
the account has been granted access to SQL Server).

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
"GR" <anonymous@discussions.microsoft.com> wrote in message 
news:38e501c48f85$450a45e0$a501280a@phx.gbl...
>I am trying to execute a DTSRUN command from SQL Server
> Agent for a user that does not have sysadmin rights.  Here
> is the message I receive when I view the job history for
> this job:
>
> "Non-SysAdmins have been denied permission to run CmdExec
> job steps.  The step failed."
>
> I've heard that Cross-database ownership chaining can be
> used to address this issue but I'm not sure how to
> implement this logic, or how vunerable it makes your
> server.
>
> Any hope would be appreciated.
>
> Thank you
>
> Gordon Radley
>
> 

• Previous message: Howard: "Re: SSL Tests"
• In reply to: GR: "Security issue when running packages from SQL Agent."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]