Chat now with support
Chat with Support

Spotlight on SQL Server Enterprise 11.7 - Release Notes

How to grant SQL Server account permissions to a trusted user

Spotlight connects to the SQL Server instance using the authentication defined by SQL Server | Connection Details. Spotlight requires necessary account permissions to connect to the SQL Server instance. Typically the account will be a member of the sysadmin server role. It could be a SQL Server login (such as 'sa'). It could be the Windows account that runs the Spotlight Diagnostic Server provided that account is trusted by the SQL Server.

In some environments the above may not be feasible. The following instructions are provided for these environments. Run the following SQL script (as sysadmin) to grant the required permissions to user TrustedUser. Note the comment lines at the end of the script and un-comment as appropriate for your environment.

Known issues with this script Description
This script does not grant sufficient privileges to view the data on this page.

Error: The SQL Server Agent service status cannot be determined because a registry key cannot be read due to lack of permission.

The script QS_Services.sql only can be executed successfully under login with SQL Server sysadmin rights. If the script QS_Services.sql is executed without a sysadmin account the error (documented to the left) will be raised.

Script to grant permissions to TrustedUser

use master

grant ALTER TRACE to TrustedUser

grant VIEW SERVER STATE to TrustedUser

grant VIEW ANY DEFINITION to TrustedUser

USE [master]

GO

CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]

GO

USE [msdb]

GO

CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]

GO

grant VIEW DATABASE STATE to TrustedUser

use msdb

EXECUTE sp_addrolemember

@rolename = 'SQLAgentReaderRole',

@membername = 'TrustedUser'

use msdb

EXECUTE sp_addrolemember

@rolename = 'TargetServersRole',

@membername = 'TrustedUser'

 

grant select on dbo.log_shipping_monitor_history_detail to TrustedUser

grant select on dbo.log_shipping_monitor_primary to TrustedUser

grant select on dbo.log_shipping_monitor_secondary to TrustedUser

grant select on dbo.log_shipping_primary_databases to TrustedUser

grant select on dbo.log_shipping_secondary_databases to TrustedUser

grant select on dbo.log_shipping_primary_secondaries to TrustedUser

grant select on dbo.log_shipping_primaries to TrustedUser

grant select on dbo.log_shipping_secondary to TrustedUser

grant select on dbo.log_shipping_secondaries to TrustedUser

grant select on dbo.sysjobs to TrustedUser

grant select on dbo.sysalerts to TrustedUser

grant select on dbo.sysjobhistory to TrustedUser

grant execute on dbo.sp_help_jobhistory to TrustedUser

grant select on msdb.dbo.syssessions to TrustedUser

grant select on msdb.dbo.sysjobactivity to TrustedUser

use master

grant EXECUTE on xp_servicecontrol to TrustedUser

grant EXECUTE on xp_enumerrorlogs to TrustedUser

grant EXECUTE on xp_readerrorlog to TrustedUser

grant EXECUTE on xp_sqlagent_enum_jobs to TrustedUser

grant execute on xp_regread to TrustedUser

 

declare @dbnumber int

declare @dbname sysname

declare @use nvarchar(4000)

declare @Quest_dblist table (

row int identity,

name sysname

)

insert into @Quest_dblist (name)

select name from master.dbo.sysdatabases;

set @dbnumber = @@rowcount

while @dbnumber > 0

begin

select @dbname =name from @Quest_dblist where row = @dbnumber

set @use = N'USE ' + quotename(@dbname)

+ N'CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]';

exec (@use)

set @dbnumber = @dbnumber - 1

end

-----un-comment the following line for SQL Server 2008 and above.

--Grant CONTROL SERVER to TrustedUser

-----un-comment the following line for SQL Server 2012 and above.

--Grant ALTER ANY EVENT SESSION to TrustedUser

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating