SQL permissions

v-ksreedevan · v-ksreedevan · commit d0f85dd97bb1 · 2023-04-12T12:29:16.000+05:30
diff --git a/articles/migrate/tutorial-assess-sql.md b/articles/migrate/tutorial-assess-sql.md
@@ -26,7 +26,7 @@ In this tutorial, you learn how to:
 ## Prerequisites
 
 - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/free-trial/) before you begin.
-
+- Ensure you have the [necessary permissions](../../includes/database-migration-service-sql-permissions.md) to assess the SQL server instances.
 - Before you follow this tutorial to assess your SQL Server instances for migration to Azure SQL, make sure you've discovered the SQL instances you want to assess using the Azure Migrate appliance, [follow this tutorial](tutorial-discover-vmware.md).
 - If you want to try out this feature in an existing project, ensure that you have completed the [prerequisites](how-to-discover-sql-existing-project.md) in this article.
 
diff --git a/includes/database-migration-service-sql-permissions.md b/includes/database-migration-service-sql-permissions.md
@@ -6,64 +6,173 @@ ms.date: 12/19/2022
 ms.author: ajithkr-ms
 ---
 
-  The login used to connect to a source SQL Server instance requires certain minimal permissions to query the requisite information. The following script shows creation of a SQL Server login with the requisite permissions.
 
+# Permissions required for SQL Server Assessment 
+The login used to connect to a source SQL Server instance needs certain minimal permissions to query the requisite information. The required permissions are as follows:
+
+|Database|Permission|Object(s)|
+|-|-|-|
+|master|CONNECT ANY DATABASE||
+|master|SELECT|sys.sql_expression_dependencies|
+|master|EXECUTE|sys.xp_regenumkeys|
+|master|VIEW DATABASE STATE||
+|master|VIEW SERVER STATE||
+|master|VIEW ANY DEFINITION||
+|msdb|EXECUTE|dbo.agent_datetime|
+|msdb|SELECT|dbo.sysjobsteps|
+|msdb|SELECT|dbo.syssubsystems|
+|msdb|SELECT|dbo.sysjobhistory|
+|msdb|SELECT|dbo.syscategories|
+|msdb|SELECT|dbo.sysjobs|
+|msdb|SELECT|dbo.sysmaintplan_plans|
+|msdb|SELECT|dbo.syscollector_collection_sets|
+|msdb|SELECT|dbo.sysmail_profile|
+|msdb|SELECT|dbo.sysmail_profileaccount|
+|msdb|SELECT|dbo.sysmail_account|
+|All User Databases|VIEW DATABASE STATE||
+|All User Databases|SELECT|sys.sql_expression_dependencies|
+  
+## Special considerations for Always On Avalability Groups
+For SQL Server instances that host availability group replicas, it's recommended to provision a Windows Domain accounts with required permissions for assessment. 
+  
+When SQL Server Authentication or a local Windows login is used, mismatched SIDs can prevent the custom login from resolving on the other replicas of the Always On Availability Group. To prevent this issue, after the login is created on the first of all the instances that hosts an Always On Availability Group, note the SID of the login so created. Provide this SID as a parameter when creating the login in the instances hosting the remaining replicas of the Always On Availability Group.
+   
+## Configure the custom login for Assessment
+The following are example scripts that show creation of a login and provisioning it with the requisite permissions.
+
+### Windows Authentication 
+  
+  ```sql
+  -- Create a login to run the assessment
+  use master;
+	-- If a SID needs to be specified, add here
+    DECLARE @SID NVARCHAR(MAX) = N'';
+    CREATE LOGIN [MYDOMAIN\MYACCOUNT] FROM WINDOWS;
+	SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'MYDOMAIN\MYACCOUNT'
+	IF (ISNULL(@SID,'') != '')
+		PRINT N'Created login [MYDOMAIN\MYACCOUNT] with SID = ' + @SID
+	ELSE
+		PRINT N'Login creation failed'
+  GO    
+ 
+  -- Create user in every database other than tempdb and model and provide minimal read-only permissions. 
+  use master;
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY CREATE USER [MYDOMAIN\MYACCOUNT] FOR LOGIN [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+  GO
+ 
+  -- Provide server level read-only permissions
+  use master;
+    BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW SERVER STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW ANY DEFINITION TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Required from SQL 2014 onwards for database connectivity.
+  use master;
+    BEGIN TRY GRANT CONNECT ANY DATABASE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Provide msdb specific permissions
+  use msdb;
+    BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobsteps] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syssubsystems] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobhistory] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syscategories] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobs] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmaintplan_plans] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syscollector_collection_sets] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profile] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Clean up
+  --use master;
+  -- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
+  -- BEGIN TRY DROP LOGIN [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  --GO
+   ```
+
+### SQL Server Authentication
+  
    ```sql
-    -- Create a login to run the assessment
-    use master;
-        CREATE LOGIN [evaluator]
-            WITH PASSWORD = '<provide a strong password>'
-    GO    
-    
-    -- Create user in every database other than tempdb and model and provide minimal read-only permissions. 
-    use master;
-        EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  CREATE USER [evaluator] FOR LOGIN [evaluator]'
-        EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]'
-        EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  GRANT VIEW DATABASE STATE TO [evaluator]'
-    GO
-    
-    -- Provide server level read-only permissions
-    use master;
-        GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]
-        GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [evaluator];
-        GRANT VIEW DATABASE STATE TO evaluator
-        GRANT VIEW SERVER STATE TO evaluator
-        GRANT VIEW ANY DEFINITION TO evaluator
-    GO
-    
-    -- Required from SQL 2014 onwards for database connectivity.
-    use master;
-        GRANT CONNECT ANY DATABASE TO evaluator
-    GO
-    
-    -- Provide msdb specific permissions
-    use msdb;
-        GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysjobsteps] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[syssubsystems] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysjobhistory] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[syscategories] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysjobs] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysmaintplan_plans] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[syscollector_collection_sets] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysmail_profile] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator]
-        GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [evaluator]
-    GO
-    
-    -- Clean up
-    --use master;
-    -- EXECUTE sp_MSforeachdb 'USE [?]; DROP USER [evaluator]'
-    -- DROP LOGIN [evaluator]
-    --GO
+  -- Create a login to run the assessment
+  use master;
+	-- If a SID needs to be specified, add here
+    DECLARE @SID NVARCHAR(MAX) = N'';
+	IF (@SID = N'')
+	BEGIN
+		CREATE LOGIN [evaluator]
+			WITH PASSWORD = '<provide a strong password>'
+	END
+	ELSE
+	BEGIN
+		CREATE LOGIN [evaluator]
+			WITH PASSWORD = '<provide a strong password>'
+			, SID = @SID 
+	END
+	SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'evaluator'
+	IF (ISNULL(@SID,'') != '')
+		PRINT N'Created login [evaluator] with SID = '+@SID
+	ELSE
+		PRINT N'Login creation failed'
+  GO    
+ 
+  -- Create user in every database other than tempdb and model and provide minimal read-only permissions. 
+  use master;
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY CREATE USER [evaluator] FOR LOGIN [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+    EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT VIEW DATABASE STATE TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
+  GO
+ 
+  -- Provide server level read-only permissions
+  use master;
+    BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT EXECUTE ON OBJECT::sys.xp_regenumkeys TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW DATABASE STATE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW SERVER STATE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT VIEW ANY DEFINITION TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Required from SQL 2014 onwards for database connectivity.
+  use master;
+    BEGIN TRY GRANT CONNECT ANY DATABASE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Provide msdb specific permissions
+  use msdb;
+    BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobsteps] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syssubsystems] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobhistory] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syscategories] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysjobs] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmaintplan_plans] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[syscollector_collection_sets] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profile] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+    BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  GO
+ 
+  -- Clean up
+  --use master;
+  -- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
+  -- BEGIN TRY DROP LOGIN [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
+  --GO
    ```
 
-  Here's how the permissions script can be used:
+## How to use the permissions script
+
+The script above can be used as follows:
+- Save the appropriate permissions script (with valid password string) as an _.sql_ file, say _c:\workspace\MinPermissions.sql_
+- Connect to the instance(s) using an account with sysadmin permissions and execute the script. You can use **SQL Server Management Studio** or **sqlcmd**. The following example uses a trusted connection.
 
-   - Save the permissions script (with valid password string) as an _.sql_ file, say _c:\workspace\MinPermissions.sql_
-   - Connect to the instance(s) using an account with sysadmin permissions and execute the script. You can use **SQL Server Management Studio** or **sqlcmd**. The following example uses a trusted connection.
    ```cmd
       sqlcmd.exe -S sourceserver\sourceinstance -d master -E -i c:\workspace\MinPermissions.sql
    ```
-   - Use the minimal permissions account so created for further connections.
-
+- Use the minimal permissions account so created for further connections.
