Skip to content

Commit 4843cfe

Browse files
ajithkr-msajithkr-ms
committed
Document minimal permissions required for sql assessment.
1 parent b48d514 commit 4843cfe

File tree

2 files changed

+74
-0
lines changed

2 files changed

+74
-0
lines changed

articles/migrate/how-to-discover-applications.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,8 @@ The software inventory is exported and downloaded in Excel format. The **Softwar
6969
- Software inventory also identifies the SQL Server instances running in your VMware, Microsoft Hyper-V and Physical/ Bare-metal environments as well as IaaS services of other public cloud.
7070
- If you have not provided Windows authentication or SQL Server authentication credentials on the appliance configuration manager, then add the credentials so that the appliance can use them to connect to respective SQL Server instances.
7171

72+
[!INCLUDE [Minimal Permissions for SQL Assessment](../../includes/database-migration-service-sql-permissions.md)]
73+
7274
> [!NOTE]
7375
> Appliance can connect to only those SQL Server instances to which it has network line of sight, whereas software inventory by itself may not need network line of sight.
7476

includes/database-migration-service-sql-permissions.md

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
---
2+
author: ajithkr-ms
3+
ms.service: sql-database
4+
ms.topic: include
5+
ms.date: 12/19/2022
6+
ms.author: ajithkr-ms
7+
---
8+
9+
The login used to assess a SQL Server instance requires certain minimal permissions to query the requisite information. The following script shows creation of a SQL Server login with the requisite permissions.
10+
11+
> [!TIP]
12+
> Where possible, use a Windows login to simplify account administration
13+
14+
```sql
15+
-- Create a login to run the assessment
16+
use master;
17+
CREATE LOGIN [evaluator]
18+
WITH PASSWORD = '<provide a strong password>'
19+
GO
20+
21+
-- Create user in every database other than tempdb and model and provide minimal read-only permissions.
22+
use master;
23+
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) CREATE USER [evaluator] FOR LOGIN [evaluator]'
24+
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]'
25+
EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model'')) GRANT VIEW DATABASE STATE TO [evaluator]'
26+
GO
27+
28+
-- Provide server level read-only permissions
29+
use master;
30+
GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]
31+
GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [evaluator];
32+
GRANT VIEW DATABASE STATE TO evaluator
33+
GRANT VIEW SERVER STATE TO evaluator
34+
GRANT VIEW ANY DEFINITION TO evaluator
35+
GO
36+
37+
-- Required from SQL 2014 onwards for database connectivity.
38+
use master;
39+
GRANT CONNECT ANY DATABASE TO evaluator
40+
GO
41+
42+
-- Provide msdb specific permissions
43+
use msdb;
44+
GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator]
45+
GRANT SELECT ON [msdb].[dbo].[sysjobsteps] TO [evaluator]
46+
GRANT SELECT ON [msdb].[dbo].[syssubsystems] TO [evaluator]
47+
GRANT SELECT ON [msdb].[dbo].[sysjobhistory] TO [evaluator]
48+
GRANT SELECT ON [msdb].[dbo].[syscategories] TO [evaluator]
49+
GRANT SELECT ON [msdb].[dbo].[sysjobs] TO [evaluator]
50+
GRANT SELECT ON [msdb].[dbo].[sysmaintplan_plans] TO [evaluator]
51+
GRANT SELECT ON [msdb].[dbo].[syscollector_collection_sets] TO [evaluator]
52+
GRANT SELECT ON [msdb].[dbo].[sysmail_profile] TO [evaluator]
53+
GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator]
54+
GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [evaluator]
55+
GO
56+
57+
-- Clean up
58+
--use master;
59+
-- EXECUTE sp_MSforeachdb 'USE [?]; DROP USER [evaluator]'
60+
-- DROP LOGIN [evaluator]
61+
--GO
62+
```
63+
64+
Here is how the permissions script above can be used:
65+
66+
- Save the permissions script (with valid password string) as a _.sql_ file, say _c:\workspace\MinPermissions.sql_
67+
- Connect to the instance(s) to be assessed using an account with sysadmin permissions and execute the script. You can use **SQL Server Management Studio** or **sqlcmd**. The following example uses a trusted connection.
68+
```cmd
69+
sqlcmd.exe -S sourceserver\sourceinstance -d master -E -i c:\workspace\MinPermissions.sql
70+
```
71+
- Use the minimal permissions account so created for assessment.
72+

0 commit comments

Comments
 (0)