Granting minimum select permission on system “sys” tables in every database
https://dba.stackexchange.com/questions/179807
-
08-10-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Our development team has created some SSRS reports that retrieve metadata only (no 'real' data) from every database. I am trying to lock down the service account running these reports to the minimum privileges required.
The queries only select from the system tables in each database such as:
sys.tables
sys.extended_properties
SYS.objects
SYS.schemas
sys.dm_db_partition_stats
sys.indexes
I thought the following would do it, but no such luck.
GRANT VIEW ANY DATABASE TO [DOMAIN\LOGIN]
GRANT VIEW SERVER STATE TO [DOMAIN\LOGIN]
GRANT VIEW DATABASE STATE TO [DOMAIN\LOGIN]
Querying system tables gives the error:
The server principal "DOMAIN\LOGIN" is not able to access the database "DATABASENAME" under the current security context.
I can't seem to find a way around this other than creating a user for the login for every single database and then granting permissions to the system tables explicitly. This presents a new set of challenges for all future databases. Am I missing something or is there no simple way to grant this access across the board to all databases without granting the "sysadmin" server-level role?
Solution
I can't seem to find a way around this other than creating a user for the login for every single database
Starting with SQL Server 2014 the new CONNECT ANY DATABASE permission can be used to accomplish this
...and then granting permissions to the system tables explicitly.
You have no need to grant permissions on system tables, they are visible to any user. But the visibility of objects they contain depends on the permissions the user has: he can see only those objects on which it has permissins: Metadata Visibility Configuration
And this can be solved by giving to your login VIEW ANY DEFINITION permission
Also, there was no need to give VIEW ANY DATABASE TO permission because it's already granted to public, and VIEW SERVER STATE TO is not required for the metadata you described retrieving.
So, all you need are these permissions:
CONNECT ANY DATABASEto access all the databasesVIEW DATABASE STATEfor queryingsys.dm_db_partition_statsVIEW ANY DEFINITIONfor have the rights on any metadata
OTHER TIPS
Instead of creating the User in every database, you could create this user in the master database and GRANT VIEW ANY DEFINITION TO <USERNAME>. This will enable metadata visibility for the specified user in all databases.
