Re: SQL job owner and right
- From: "Russell Fields" <russellfields@xxxxxxxxxx>
- Date: Wed, 30 Jan 2008 16:27:31 -0500
Andy,
A Windows Group cannot own a job. It is the wrong type of account. The job
owner must be either a SQL or a Windows Login. I have read (and guess that I
basically understand) the reasons why this is necessary for changing
security context. You see the same behavior that EXECUTE AS cannot be a
group.
But it would be nice to have groups own things like jobs.
I have some jobs owned by service logins, e.g. 'DepartAJobOwner' and those
who can login with that account can manage those jobs.
RLF
"Andrew J. Kelly" <sqlmvpnooospam@xxxxxxxxxxxx> wrote in message
news:uvTh%23t3YIHA.5028@xxxxxxxxxxxxxxxxxxxxxxx
By "Operate and Change" the job do you mean edit what the job does or just
when it runs? If you want to be able to edit other peoples jobs you have
to be sa. Otherwise you run the risk of someone who is not able to access
or modify data being able to do so thru editing a job that is owned by
someone who is authorized. That defeats the purpose of the security roles
altogether. You can't have it secure yet open at the same time. If you
want more than 1 user to edit the same job then you should create a
Windows group that both windows users belong to and have that own the
jobs. This again assumes both users will have the same permissions or they
should not be in the same group.
--
Andrew J. Kelly SQL MVP
Solid Quality Mentors
"Lynn" <Lynn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4A5968F0-2DE8-4C5B-8689-77907FB320E1@xxxxxxxxxxxxxxxx
Sorry. I just confirmed that we only have SQLAgentUserRole. That's the
reason I couldn't see the job which is created by account A.
Again, more than 2 people will manage same jobs for application, but not
the
jobs related to server maintainance. Reader and Operator role won't
fulfill
this right as well. What's the best practice for this situation.
Thank you again.
--
Best Regards,
Lynn
"Lynn" wrote:
We are in SQL 2005 and my account is already granted all those three
roles
and account A also has these three roles. But, I can't see the job that
account A created.
What's the best practice to archive -- multiple accounts can manage SQL
job
without sysadmin right?
Thank you again.
--
Best Regards,
Lynn
"Andrew J. Kelly" wrote:
If you are using SQL2000 then you need to be sa. In 2005 there are 3
new
roles that define the abilities of non-owners in SQL Agent. Check out
these
in BooksOnLine for more details:
SQLAgentUserRole
SQLAgentReaderRole
SQLAgentOperatorRole
--
Andrew J. Kelly SQL MVP
Solid Quality Mentors
"Lynn" <Lynn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1AE16035-2A1A-4252-A978-196C53ED16C4@xxxxxxxxxxxxxxxx
Hi,
A user has right to create and operate a SQL job, but only limited
to the
jobs that this user is created. Without granting sysadmin right,
how to
grant a user to be able to operate and change the job which is
created by
other users?
Thank you.
--
Best Regards,
Lynn
.
- References:
- Re: SQL job owner and right
- From: Andrew J. Kelly
- Re: SQL job owner and right
- From: Lynn
- Re: SQL job owner and right
- From: Andrew J. Kelly
- Re: SQL job owner and right
- Prev by Date: Re: SQL job owner and right
- Next by Date: Re: SQL job owner and right
- Previous by thread: Re: SQL job owner and right
- Next by thread: Re: SQL job owner and right
- Index(es):
Relevant Pages
|
|
