Wednesday, March 21, 2012

DTS Packages

I am new to SQL but have been tasked with setting up an SQL server. I have
setup a basic database and applied appropriate permissions. The problem is
that one of our analysts says that I am unable to maintian our policy of
giving limited permissions/access to create DTS packages without giving up
full Server control. His reasoning is that if you have the ability to create
DTS packages, you then have access to the command prompt and therefore to
system commands. Is there anyway to give a user the ability to create DTS
packages without giving up Server control, or creating security risk
problems'
Any help will be appreciated.
Thanks in advance.By default, anyone with access to SQL Server can save a DTS package to the
local repository. This does not in any way provide access to a command
prompt.
Perhaps the analyst is referring to creating SQL Server Agent jobs that run
DTS packages using the DTSRUN command-line utility in a CMDEXEC job step.
This is not allowed by default. You need to explicitly allow non-symins
to execute cmdexec job steps and specify a proxy account as the security
context. This would allow non-symins to execute command-line utilities
like DTSRUN yet be limited to the security context of the proxy account you
specify. The proxy account is usually a minimally privileged account. See
the Books Online for more information.
If SQL Agent scheduling is not a requirement, the DTS can be run
interactively (where it runs on the user machine) or scheduled by another
means.
Hope this helps.
Dan Guzman
SQL Server MVP
"r2d2" <John.Infotech@.gmail.com> wrote in message
news:eInzqH3xFHA.448@.TK2MSFTNGP11.phx.gbl...
>I am new to SQL but have been tasked with setting up an SQL server. I have
>setup a basic database and applied appropriate permissions. The problem is
>that one of our analysts says that I am unable to maintian our policy of
>giving limited permissions/access to create DTS packages without giving up
>full Server control. His reasoning is that if you have the ability to
>create DTS packages, you then have access to the command prompt and
>therefore to system commands. Is there anyway to give a user the ability
>to create DTS packages without giving up Server control, or creating
>security risk problems'
> Any help will be appreciated.
> Thanks in advance.
>
Posted by sur at 1:13 AM
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)