Question: Do any of the SQL Server systems tables in either SSISDB or MSDB contain information that would allow me to discover which users are making changes to folder permissions in the Integration Services Catalog?
Background: I saw that a SQL Agent Job was failing with the following error description:
Cannot access the package or the package does not exist. Verify that
the package exists and that the user has permissions to it.
Upon researching the issue, I found that the service account's permissions to the folder that contains the relevant packages has been removed. I would like to perform a diagnostic to see who removed the permissions and when.
Additionally, configuration management by our IT Operations Group has been a challenge as the SQL Servers have not been kept in-line across environments (i.e., development, test, stage, and production) with respect to at least the following:
Patch Management
Memory Management
Permissions Management
Research: I have checked the Sysssispackages table in MSDB but that does not appear helpful and the tables in SSISDB all appear to be integer based. My background is in database development and less so in database management. Any help is appreciated.
The changes to permissions are not audited for the SSISDB.
When you're using the UI to grant/deny permissions for a folder/project, that is translated to a call to catalog.grant_permission/catalog.deny_permissions Those check whether you're in an admin role (server or database) and if so, then call the internal.update_permission with a value of 0/1 for grant vs deny.
I tested this versus 2014 but I would be surprised if it's any different in 2016/2017/2019
SQL Server itself keep track of permission changes via the system trace. Assuming the change was recent, you can try a query like this
SELECT
f.ObjectName
, f.NTUserName
, f.StartTime AS ChangeStartTime
, f.EventClass
, t.start_time AS TraceStartTime
, t.last_event_time AS TraceLastEventTime
, t.event_count
, f.DatabaseID
, f.TransactionID
--, f.NTDomainName
, f.HostName
, f.ClientProcessID
--, f.ApplicationName
, f.LoginName
, f.SPID
, f.EventSubClass
, f.ObjectID
, f.ObjectType
, f.DatabaseName
FROM
sys.traces t
CROSS APPLY sys.fn_trace_gettable(REVERSE(SUBSTRING(REVERSE(t.path), CHARINDEX('\', REVERSE(t.path)), 260)) + N'log.trc', DEFAULT) f
WHERE
t.is_default = 1
AND f.EventClass IN
(102, 103, 104, 105, 106, 108, 109, 110, 111)
AND f.DatabaseName = 'SSISDB';
Event class breakout is at
https://www.databasejournal.com/features/mssql/a-few-cool-things-you-can-identify-using-the-default-trace.html
I don't think that SSISDB either MSDB contains informations about permissions changes auditing. If think this should be done on the SQL Server database engine. You should have an auditing process that monitor all changes on the SQL Server Instance.
You can refer to the following links to read more on how you can track or audit permissions changes:
Tracking SQL Server Database Permission Changes
SQL Server Audit
Audit SQL Server permission changes to improve overall security
To check out what are the tables and informations stored inside MSDB and SSISDB check the following links:
SSIS Catalog
List of tables in SSISDB
The system msdb database, introduction and tips
msdb Database
Related
I am new to using using stored procedure and Azure storage account. I am exploring the following guide at:
https://www.sqlshack.com/how-to-connect-and-perform-a-sql-server-database-restore-from-azure-blob-storage/
and have created a credential in my database 'Security' > 'Credential' folder in SSMS.
Query that I ran in SSMS:
--using the url and the key
CREATE CREDENTIAL [Credential_BLOB]
WITH IDENTITY= 'https://<account>.blob.core.windows.net/',
SECRET = '<storage account key -> which I enter my Access Key 1>';
Result:
After which I proceed to run the following stored procedure where I want to restore the backup from BLOB storage:
RESTORE DATABASE Database_Name FROM URL = 'https://<account>.blob.core.windows.net/Container/SampleDatabase.bak'
WITH CREDENTIAL = 'Credential_BLOB',
And I get this error:
Msg 41901, Level 16, State 2, Line 3
One or more of the options (credential) are not supported for this statement in SQL Database Managed Instance. Review the documentation for supported options.
However, from the guide which I input the link above, they were able to run the query:
I tried to google for the syntax of the RESTORE statement from the Microsoft Docs library and others who may have encountered similar issue but I did not find any effective result. I would appreciate your help if you have encountered something similar and would like to share your solution. Thank you!
From the error which you have shared, it is easy to interpret that you are using the SQL Database Managed Instance. But the link you have shared doesn't mention anywhere which SQL Server it is using. The approach mentioned in that link might not work in your case because of difference in SQL servers and statement compatibility.
Then, I tried the steps which are given in the Microsoft official document (link shared by #Nick.McDermaid in the comment section). It is working fine without any issue.
Please follow the steps below to achieve the requirement (applicable for SQL Server 2016 (13.x) and later, Azure SQL Managed Instance only).
Use the GUI in SQL Server Management Studio to create the credential by following the steps below.
Connect with your SQL Server 2016 (13.x) and later or Azure SQL Managed Instance
Right-click your database name, hover over Tasks and then select Back up to launch the Back Up Database wizard.
Select URL from the Back up to destination drop-down, and then select Add to launch the Select Backup Destination dialog box.
Select New container on the Select Backup Destination dialog box to launch the Connect to a Microsoft Subscription window.
Sign in to the Azure portal by selecting Sign In and then proceed through the sign-in process. Select your subscription from the drop-drown.
Select your storage account from the drop-down. Select the container you created already from the drop-down. Select Create Credential to generate your Shared Access Signature (SAS). Save this value as you'll need it for the restore.
I also tried to restore the database using the newly created credential and it is working fine.
To create the credential using T-SQL, please follow the steps provided in this link.
We extensively use the OPENROWSET function to import .CSV and Excel files into our SQL Server 2012 environment, using MSDASQL or ACE:
SELECT *
FROM OPENROWSET ('MSDASQL',
'DRIVER={MICROSOFT access TEXT DRIVER (*.TXT, *.CSV)};',
'SELECT * FROM E:\INCOMING\REPORT_EXTRACT.CSV')
Or using ACE:
SELECT * FROM OPENROWSET('MICROSOFT.ACE.OLEDB.12.0','TEXT;DATABASE=E:\INCOMING\;HDR=YES;', 'SELECT * FROM [REPORT_EXTRACT.CSV]');
We're experiencing the classic error message:
Msg 7415, Level 16, State 1, Line 1
Ad hoc access to OLE DB provider 'MSDASQL' has been denied. You must access this provider through a linked server.
The ONLY workaround to enable this, is granting said user(s) with the SYSADMIN role - obviously not ideal.
The location of the file(s) is on the server itself, for which the users accessing DO have the necessary permissions to access that file folder. The SQL Server service is running under the local system account with permission to interact with the desktop.
We've tried the following workarounds/fixes to no avail:
1 Executed the following code:
EXEC master . dbo. sp_MSset_oledb_prop N’Microsoft.ACE.OLEDB.12.0′ , N’AllowInProcess’ , 1
GO
EXEC master . dbo. sp_MSset_oledb_prop N’Microsoft.ACE.OLEDB.12.0′ , N’DynamicParameters’ , 1
GO
*2 The DisAllowAdHocAccess registry fix:
This is the current state:
3 Adding the ADMINISTER BULK OPERATIONS permission to the said users
We have dozens of expressions and files within our procedures that use OPENROWSET, therefore BULK INSERT, building SSIS packages, leverage Excel files as linked servers are NOT feasible options.
Any suggestions?
Wow - After YEARS of troubleshooting, I finally figured out what it was!
The registry entry value that controls the Allowing of Ad-hoc access, relies on the DisallowAdHocAccess being in that EXACT sentence case.
In our case, the "A" in AdHoc was not capitalized:
To fix this, I:
Deleted the registry value as described
Re-enabled the Disallow AdHoc Access option (Which re-created the registry value)
Manually set the Registry DisallowAdHocAccess value to "0"
Problem solved!
This question is related to: Debezium How do I correctly register the SqlServer connector with Kafka Connect - connection refused
In Windows 10, I have Debezium running on an instance of Microsoft SQL Server that is outside of a Docker container. I am getting the following warning every 390 milliseconds:
No maximum LSN recorded in the database; please ensure that the SQL
Server Agent is running
[io.debezium.connector.sqlserver.SqlServerStreamingChangeEventSource]
I checked Debezium's code on Github and the only place that I can find this warning states in the code comments that this warning should only be thrown if the Agent is not running. I have confirmed that the SQL Server Agent is running.
Why is this warning showing up and how do I fix it?
Note:
My current solution appears to only work in a non-production environment - per Docker's documentation.
LSN is the "pieces" of information related about your SQL Server changes. If you don't have LSN, is possible that your CDC is not running or not configured properly. Debezium consumes LSNs to replicate so, your SQL Server need to generate this.
Some approaches:
Did you checked if your table are with CDC enabled? This will list your tables with CDC enabled:
SELECT s.name AS Schema_Name, tb.name AS Table_Name
, tb.object_id, tb.type, tb.type_desc, tb.is_tracked_by_cdc
FROM sys.tables tb
INNER JOIN sys.schemas s on s.schema_id = tb.schema_id
WHERE tb.is_tracked_by_cdc = 1
Your CDC database are enabled and runnig? (see here)
Check if enabled:
SELECT *
FROM sys.change_tracking_databases
WHERE database_id=DB_ID('MyDatabase')
And check if is running:
EXECUTE sys.sp_cdc_enable_db;
GO
Your CDC service are running on SQL Server? See in docs
EXEC sys.sp_cdc_start_job;
GO
On enabling table in CDC, I had some issues with rolename. For my case, configuring at null solved my problem (more details here)
EXEC sys.sp_cdc_enable_table
#source_schema=N'dbo',
#source_name=N'AD6010',
#capture_instance=N'ZZZZ_AD6010',
#role_name = NULL,
#filegroup_name=N'CDC_DATA',
#supports_net_changes=1
GO
Adding more to William's answer.
For the case SQL Server Agent is not running
You can enable it by following :
Control panel >
Administrative Tools >
Click "Services"
Look for SQL Server Agent
Right click and Start
Now you can fire cdc job queries in your mssql.
PS: you need to have login access to windows server.
Another possibility of this error (I just ran into this warning myself this morning trying to bring a new DB online) is the SQL login does not have the permissions needed. Debezium runs the following SQL. Check that the SQL login you are using has access to run this stored procedure and it returns the tables you have set up in CDC. If you get an error or zero rows returned, work with your DBA to get the appropriate permissions set up.
EXEC sys.sp_cdc_help_change_data_capture
I'm having a very strange problem with a fresh install I have of SQL Server 2008 Express edition (yeah it's a bit old now, but whatever). When I connect via SQL Server Management Studio, I can both read and edit data (update or insert), but when I connect via my web application's data access layer, which uses SqlConnection and SqlCommand to try and update and insert data in tables, no changes occur in the database. The strange thing is that the code runs as if no error had occurred though; no exceptions are thrown, and my update statement causes SqlCommand.ExecuteNonQuery to return 1, indicating that supposedly 1 row has been updated. However, it hasn't. The application can, however, read data from the database via select statements.
Does anyone have any idea what's going on here? I even tried tracing SQL Server using ExpressProfiler, and its output seemed to indicate that the update should have occurred:
exec sp_executesql N'UPDATE Match SET TicketsSold=#ticketsSold WHERE MatchId=#matchId',N'#matchId int,#ticketsSold int',#matchId=1,#ticketsSold=1234
go
Yet TicketsSold stays at the same value (123) it was at before, and does not update to 1234. Is there some kind of "silent" read-only mode SQL Server 2008 Express could be running in? I'm baffled as to why the database isn't being updated.
By the way, this is a proper SQL Server database I created in SSMS, not some attached MDF file that resides in the same directory as my web application. The database is not set to "read-only" in database options, and I'm pretty sure that the user that the web application is logging in as has read/write permission on the MDF file; it is logging in as the same user I am logging in as using SSMS - with integrated Windows security - and I am able to update/insert as that user via SSMS.
Thanks to shf301 in the comments - I was creating a transaction but forgetting to call .Commit before the end of the using block. :-D I put that in and now it works.
I'm using SSEUtil to automatically create a functional test database from the schema derived from my development database (SQL Server 2008 R2) as part of my build process. This allows me to keep the two databases in-sync (schema-wise) without running SQL repository tests against my development database.
I recently added a full text index to a table for the first time for this project in my development schema and now when I attempt to apply the schema to a newly created unit test database I get the following error when it executes the SQL to create the full text catalog:
CREATE FULLTEXT CATALOG [FullTextCatalog] AUTHORIZATION [dbo]
GO
Cannot use full-text search in user instance.
[SqlException Number 9982, Class 16, State 100, Line 1]
I've searched high and low. The only help I found was on another site where someone suggested "attaching to the parent database." I have no idea what that means. And I have no idea what this error means. What is a "user instance"?
Can anyone suggest a way around this? Is there a better way to keep two database schemas in-sync for continuous integration?
Either
User must have CREATE FULLTEXT CATALOG permission on the database, or be a member of the db_owner, or db_ddladmin fixed database roles.
or
you won’t be able to use full text catalogues if the SQL instance does not have it installed. Make sure the SQL server instance has the full text service running.
Here are two ways of testing whether this feature installed or not. This feature is available for all editions of SQL Server 2005 and 2008 (including SQL Express)
Check the services applet (run -> type 'services.msc') for this entry :
SQL Server FullText Search Or SQL Server FullText Search (SQLEXPRESS) (in case of SQL Express). Start this service of not running
Run the query "select fulltextserviceproperty('isfulltextinstalled')" in the Query analyzer. if the result is '1' then it is installed else not.
In the case of unavailability of this feature, you need to install by downloading the "SQLEXPR_ADV.EXE" from http://www.microsoft.com/express/sql/download/default.aspx
Reference taken from here
This is not really an answer to the question, but I came upon a similar issue with visual studio package manager when updating an entity framework code-first database (command update-database).
The problem was that I selected the wrong start-up project, and therefore visual studio was not using my connection string at all. It was connecting to a localdb instance, hence the cryptic error message "cannot use full text search in user instance". Once I made it connect to the actual database, it worked as expected.
I also came across this user instance issue. I have to admit that I only have basic knowledge of SSMS. Apparently I'm logged as the public user. How can I be a member of db_owner? I try to generate and script everything without using the GUI.
For example, if I execute this
ALTER AUTHORIZATION ON DATABASE::[dbname] TO sa;
EXEC sp_changedbowner 'sa';
I still get the Cannot use full-text search in user instance error with
USE [dbname]
CREATE FULLTEXT CATALOG [ftc_dbname] AS DEFAULT
GO