The second is a link to SQL Saturday. A group of SQL Server users are attempting to organize a SQL Saturday event. Check out this link to get the latest status.
Arizona SQL Server User Group: http://arizona.sqlpass.org
SQL Saturday Phoenix - http://www.sqlsaturday.com/47/eventhome.aspx
]]>
The SQL Server Policy Management Team blog - http://blogs.msdn.com/sqlpbm
Bar Duncan's blog entry on Complex Server "Health" Policies - http://shrinkster.com/1bqq
Codeplex project to provide a dashboard for Policy Management - http://epmframework.codeplex.com
]]>
Here are a couple of example queries to extract the package GUID for each package and to display the connection string for each OLEDB connection manager in a package.
Example 1: Package GUID display
USE MSDB
GO
WITH xmlPackages
-- Read sysssispackage and convert packagedata image column to XML datatype
AS
(SELECT [name]
, [Description]
, verbuild
, CAST(CAST(packagedata as VARBINARY(MAX)) AS XML) PackageXML
FROM dbo.sysssispackages)
,
Packages
-- Cross join each package row with itself to extract out the GUID then it to VARCHAR
AS
(SELECT [name]
, [Description]
, [verbuild]
, x.guid.value('text()[1]', 'varchar(4000)') PackageGUID
FROM xmlPackages
CROSS APPLY
PackageXML.nodes('declare namespace DTS="www.microsoft.com/SqlServer/Dts"; //DTS:Executable/DTS:Property[@DTS:Name="VersionGUID"]') AS x(guid)
)
SELECT *
FROM Packages
Example 2: Display Connections strings for each OLEDB Connection Manager
USE MSDB
GO
WITH xmlPackages
-- Read sysssispackages and convert packagedata image column to XML datatype
AS
(SELECT [name]
, [Description]
, verbuild
, CAST(CAST(packagedata as VARBINARY(MAX)) AS XML) PackageXML
FROM dbo.sysssispackages)
,
Packages
-- Cross join each package row with OLEDB connections found in the package and convert it to VARCHAR
AS
(SELECT [name]
, [Description]
, [verbuild]
, x.cn.value('text()[1]', 'varchar(4000)') Conn
FROM xmlPackages
CROSS APPLY
PackageXML.nodes('declare namespace DTS="www.microsoft.com/SqlServer/Dts"; //DTS:ConnectionManager[DTS:Property="OLEDB"]/DTS:ObjectData/DTS:ConnectionManager/DTS:Property [@DTS:Name="ConnectionString"]') AS x(cn)
)
SELECT [Name] PackageName
, [Description]
, [verbuild]
, Conn ConnectionString
FROM Packages
Adventureworks Sample Databases - http://msftdbprodsamples.codeplex.com/
Reporting Services Sample Code - http://msftrsprodsamples.codeplex.com/
RS Server Mgmt Report Samples - http://msftrsprodsamples.codeplex.com/wikipage?title=SS2008%21Server%20Management%20Sample%20Reports&referringTitle=Home
Report Server Job Report, All Subscriptions Query, Cache Expiration Query - http://interfacett.com/files/sql/reportserverjobreport.zip
BI6236 Course Demo files - http://interfacett.com/files/sql/bi6236demos.zip
RSScripter and RSLinkGen tool - http://sqldbatips.com
]]>
http://interfacett.com/files/sql/jeff-jones-blog-subscriptions.zip
]]>The result shows both implicit permissions granted through fixed server or database roles. It also shows explicit permission granted though user-defined roles or granted directly to the database user account.
The EXECUTE AS can only specify individual user principal defined to SQL Server. It cannot reference a Windows Group. This is only valid with SQL Server 2005.
EXECUTE AS LOGIN = 'miami\anders'
SELECT SCHEMA_NAME(schema_id) + '.' + name TableName
, type_desc
, HAS_PERMS_BY_NAME(SCHEMA_NAME(schema_id) + '.' + name,
'OBJECT', 'SELECT') AS have_select
, HAS_PERMS_BY_NAME(SCHEMA_NAME(schema_id) + '.' + name,
'OBJECT', 'UPDATE') AS have_update
, HAS_PERMS_BY_NAME(SCHEMA_NAME(schema_id) + '.' + name,
'OBJECT', 'INSERT') AS have_insert
, HAS_PERMS_BY_NAME(SCHEMA_NAME(schema_id) + '.' + name,
'OBJECT', 'DELETE') AS have_delete
, HAS_PERMS_BY_NAME(SCHEMA_NAME(schema_id) + '.' + name,
'OBJECT', 'EXECUTE') AS have_execute
FROM sys.all_objects
WHERE type_desc IN ('USER_TABLE', 'SQL_STORED_PROCEDURE', 'VIEW')
AND SCHEMA_NAME(schema_id) NOT IN ('sys', 'INFORMATION_SCHEMA')
ORDER BY type_desc, tablename
REVERT
]]>This query shows which indexes are used, whether it was a seek, scan or lookup and the date it was last performed. When using the object_name function, you want to USE the database you are interested in and then filter the view so it only shows objects from that database. Filtering on object_id > 100 eliminates system tables from the output.
USE Adventureworks
SELECT object_name(object_id), *
FROM sys.dm_db_index_usage_stats
WHERE object_id > 100 AND database_id = DB_ID('Adventureworks')
This query provides more information about current low-level I/O, locking, latching, and access method activity for each partition of a table or index in the database. Since this query uses a table-valued function, you must pass parameters for the database id, table id, index id, and partition number. If you want to select all tables in a database you just need to pass the database id and specify DEFAULT for the other three parameters. Filtering on object_id > 100 eliminates system tables from the output.
SELECT object_name(object_id), *
FROM sys.dm_db_index_operational_stats (db_id('Adventureworks'), default, default, default)
WHERE object_id > 100
The last query provides read and write I/O counts by file. This can help you determine which files have the highest I/O activity.
SELECT db_name(database_id), *
FROM sys.dm_io_virtual_file_stats(default, default)
After a package has been developed using BI Development Studio, it must be deployed to a location for subsequent execution. This is a similar model to application dll’s and exe’s that must be deployed to an object library for execution. With SSIS you can deploy a package to any file system directory, the MSDB database or a special file system directory known by the Integration Services Service. When deploying to a file system directory (whether known by Integration Services Service or not), you must rely on OS file system security to control access to these packages. If you deploy to the MSDB database you have other mechanisms available to control access to packages.
The MSDB database has three predefined fixed database roles specifically designed for SSIS. They are db_dtsltduser, db_dtsoperator and db_dtsadmin. Each of the roles has execute permissions on a set of MSDB stored procedures that are used to manipulate packages located in the dbo.sysdtspackages90 table. You can also define your own custom database roles to further secure packages deployed to MSDB. The user needs a database user account in MSDB to be assigned to these roles.
Each package has a default assignment to both the readerrole and writerrole. The readerrole allows for enumerating a packaging (displaying its name), viewing a package’s definition, executing a package interactively, exporting a package definition and running a package under SQL Server Agent as a job. The writerrole allows for importing a package, deleting a package and changing package security roles.
When a package is placed in the MSDB database a default role assignment is made. The package’s readerrole is assigned to db_dtsadmin, db_dtsoperator and the creator of the package. The writerrole is assigned to db_dtsadmin and the creator of the package. The details for each role and what they can do is described in SQL Server 2005 Books Online under the “Integration Services Roles” topic.
For those developers that need to deploy packages to MSDB, enumerate and execute packages that they own, they need to a member of db_dtsltduser. Again they can only manipulate packages that they own.
If a person that is not a Sysadmin needs to administer all the packages stored in MSDB, they need to be in the db_dtsadmin role. All users with SysAdmin rights can see and do anything with packages.
To execute any package, the user must be in the db_dtsoperator role.
Additional user-defined database roles can be created in MSDB to provide an additional level of control. The additional roles work in conjunction with the fixed roles described above. By default, when a package is placed in the MSDB database, the owner of the package and the users in the db_dtsadmin role can view the package definition (via exporting), modify the package (via importing), and execute the package. Also users in the db_dtsoperator role can execute the package. When you assign a user-defined role as the readerrole, anyone in that user-defined role can view the package and execute it. When you assign a user-defined role as the writerrole, anyone in that user-defined role can update the package definition. The user must also be in the db_dtsltduser role. So users must be in both the user-defined role and the db_dtsltduser role to access packages.
For example, you have a development team creating Integration Services packages. They decide to deploy the packages to SQL Server MSDB for execution. The packages where created by different developers and therefore the packages have different creators/owners. We want the entire team to be able to read and potentially update the various packages. The DBA does not want to give the developers SysAdmin permissions nor the ability to read, update and execute all the packages in the MSDB database. One approach would be to:
1. Create a user-defined role in MSDB, place all the developers in that role.
2. Assign that role to the db_dtsltduser fixed database role. This allows the developer team to access packages that they created and own.
3. Assign each package the team created to the user-defined role created earlier.
This will allow all team members to access all associated packages no matter who created them.
There are other issues related to the encryption of sensitive data in the package that I will cover in another blog post.
]]>