tags:

views:

1972

answers:

2
+1  Q: 

What permissions needed to connect to SQL Server Integration Services

I need to allow a consultant to connect to SSIS on a SQL Server 2008 box without making him a local administrator. If I add him to the local administrators group, he can connect to SSIS just fine, but it seems that I can't grant him enough permissions through SQL Server to give him these rights without being a local admin.

I've added him to every role on the server, every database role in MSDB shy of DBO, and he's still not able to connect. I don't see any SSIS-related Windows groups on the server - Is membership in the Local Administrators group really required to connect to the SSIS instance on a SQL Server? It seems like there is somewhere I should be able to grant "SSIS Admin" rights to a user (even if it's a Windows account and not a SQL account), but I can't find that place.

UPDATE: I've found an MSDN article (See the section titled "Eliminating the 'Access if Denied' Error") that describes how to resolve problem, but even after following the steps, I'm still not able to connect. Just wanted to add it to the discussion

A: 

Is he running the SSIS packages locally or remotely?

If he's running locally on his workstation, he should only need normal SQL priveledges (i.e. select / insert / whatever) on the relevant databases and tables he's accessing, as it's just a normal SQL connection.

Or is he deploying packages to be executed remotely?

Dane  2009-07-14 22:30:51
He'll be deploying and managing packages on a remote SQL Server while he's here. SSIS on his workstation seems to work just fine, since he's a local administrator. If this was a single-instance server, I'd even consider making him a local admin, but since it's our sql cluster, that's not an option.
rwmnau  2009-07-14 22:41:10
+1  A: 

When exactly does he get the "Access is Denied Error"? When trying to connect to SSIS using SSMS (SQL Server Management Studio) and specifying "SSIS" in the connection dialog? Or after this when trying to execute a package or something?

I guess it is the first situation and might be able to dig something up when I am back in the office tomorrow. I would let you know of course. Until then: where would your packages be stored if he could connect to the SSIS server: on the file system or in MSDB? If on the file system in the default location (under SQL Servers' root) or somewhere else? I think if you are not storing them in MSDB there are no SQL Server permissions involved here...

I was always able to work around this issue using the information provided in the article you mention.

Edit: Too bad; I cannot find anything "special" that we did but the steps mentioned in that MSDN article that you followed already.

  • In the Launch Permission dialog box, add or delete users, and assign the appropriate permissions to the appropriate users and groups. The available permissions are Local Launch, Remote Launch, Local Activation, and Remote Activation. The Launch rights grant or deny permission to start and stop the service; the Activation rights grant or deny permission to connect to the service.

  • In the Access Permission dialog box, add or delete users, and assign the appropriate permissions to the appropriate users and groups.

  • Restart the Integration Services service.

Connecting by using a Local Account

If you are working in a local Windows account on a client computer, you can connect to the Integration Services service on a remote computer only if a local account that has the same name and password and the appropriate rights exists on the remote computer.

scherand  2010-04-07 21:04:30
The packages are stored in the MSDB, but he can't even get that far - attempting to connect to SSIS using Management Studio gives him an access denied error. Adding him to the local administrators group on the server (which is what we ended up doing) resolved the problem, but that's obviously not ideal. Thanks for following up on this older question, and I appreciate any additional feedback you have to add.
rwmnau  2010-04-07 21:20:25
I just searched my documentation and could not find any "special trick" we had to perform to get that working. If I remember correctly we did not restart the SSIS service once which led us to wild speculations why things are not working on that particular server. But in the end the solution was simple (restart the service). Sorry about that.
scherand  2010-04-08 06:24:38

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?