-
Title
What permission does Quest Diagnostic Administrator account have? -
Description
By adding a user account to the Quest Diagnostic User group, should they be able to configure Spotlight in a way that affects all Spotlight users?
What permission is available for Quest Diagnostic Administrator account user? -
Resolution
The Quest Diagnostic User Groups
The Diagnostic Server installation creates two local user groups on the Diagnostic Server machine. The Windows user account of the Spotlight user is checked against the members of these groups when a Spotlight client connects to the Diagnostic Server to determine the level of privilege to give to that user. The two groups are:- Quest Diagnostic Users
Members of this group are granted user privileges when connecting a Spotlight client to the Diagnostic Server. This allows that user to perform normal diagnostic tasks such as viewing the home and drilldown pages, playback data browsing and changing alarm thresholds.
- Quest Diagnostic Administrators
Members of this group are granted all user privileges, together with permission to perform administrative tasks such as killing database sessions and changing sensitive configuration items.
Members of the Quest Diagnostic Administrators group are able to perform the following administrative tasks:
Spotlight on SQL Server
- Clear Buffer cache (Memory drilldown)
- Clear Procedure cache (Memory drilldown)
- Kill sessions (SQL Activity/Sessions drilldown)
- Update index statistics (Databases/Indexes drilldown)
- Start and Stop services (Support Services drilldown)
- Start SQL Agent Jobs (Support Services/Jobs drilldown)
- Take clustered SQL Server instances offline, bring them online, and move groups (Support Services/Cluster Services drilldown)
- Change parameters (Configuration drilldown)
- Response Time SQL (Spotlight on SQL Server Options)
- Cycle Error log (Error Log drilldown)
- Configure an alarm to run a program when a particular threshold is reached.
Spotlight on Windows
- Kill processes (Processes drilldown)
- Start, stop, pause, and resume services (Processes drilldown)
Whenever one of these administrative tasks is performed, Spotlight logs an entry to the following file:
- C:\Program Files\Quest Software\Diagnostic Server\Agent\log\admin-audit.log
The logged entry includes the date, time, connection name, user and client IP address, a brief description of the action, and whether it succeeded or not.
You must update the Quest Diagnostic Users and Quest Diagnostic Administrators group memberships, on the Diagnostic Server machine, to include the logins of all users who will be running Spotlight on SQL Server clients. These two local groups may contain Windows users or Windows domain groups. Aliases are not supported.
Unless the user is explicitly added or is a member of a domain group in at least one of these local groups, that user will not be able to connect their Spotlight on SQL Server client to the Diagnostic Server.
Removal of a user from these groups will result in a loss of the associated privileges. By default, the Windows user on the Spotlight client machine that installs the Diagnostic Server is automatically added to both groups.
Any change to a user’s role by modifying these Windows groups will not take effect until that user restarts their Spotlight client and it reconnects to the Diagnostic Server. For this reason, it is recommended that the Diagnostic Server be restarted if the role changes need to take immediate effect.