patternsqlMinor
Can I not add VIEW SERVER STATE to a role?
Viewed 0 times
canviewrolestateservernotadd
Problem
My server admin asked me to grant a user SA privileges for the purpose of upgrading our vCenter environment from 5.5 to 6.x and I refused. So I found a VMWare article that outlined all of the required permissions and set the up in a role so that I could assign the vCenter database user to the role for the purpose of upgrading and then remove the user from the role once complete. That part worked correctly with some cosmetic name changes to match our current environment. However the upgrade still failed with the following error:
OK so these are server level permissions. That is fine. So I wanted to add these privileges to the role I created for this "vc_admin".
Which netted me this set of errors.
So I add the role to the master database
If I change the code snippet above to target the user instead of the role it completes successfully. I suspect my issue is a simple misconception.
I read that I might have to create a server role for this to work which would explain the error. I tried the following which SSMS thinks is incomplete / syntactically incorrect.
Now according to msdn the authorization is optional and adding that didn't change the error.
I read now that ...
Server-scoped roles were introduced on SQL Se
Error : The user associated with the DSN has insufficient privileges.
Resolution: Provide sufficient privileges for the user by granting the user the following permissions:
* VIEW SERVER STATE
* VIEW ANY DEFINITIONOK so these are server level permissions. That is fine. So I wanted to add these privileges to the role I created for this "vc_admin".
USE master
GRANT VIEW SERVER STATE to vc_admin
Grant VIEW ANY definition to vc_admin
GOWhich netted me this set of errors.
Msg 15151, Level 16, State 1, Line 3
Cannot find the login 'vc_admin', because it does not exist or you do not eave permission.
Msg 15151, Level 16, State 1, Line 4
Cannot find the login 'vc_admin', because it does not exist or you do not have permission.So I add the role to the master database
CREATE ROLE vc_admin successfully. The code above is run again and I get the same errors again. If I change the code snippet above to target the user instead of the role it completes successfully. I suspect my issue is a simple misconception.
I read that I might have to create a server role for this to work which would explain the error. I tried the following which SSMS thinks is incomplete / syntactically incorrect.
create server role vc_adminNow according to msdn the authorization is optional and adding that didn't change the error.
Expecting ID, Quoted ID or TOI read now that ...
Server-scoped roles were introduced on SQL Se
Solution
Just because you create a role in the master database doesn't make it a server level role. It's still a database role - it just lives in a really important database.
SQL Server 2008R2 simply didn't have user defined server level roles. For that feature, you'll need to upgrade to SQL Server 2012.
You asked for something authoritative, and the best answer there is good ol' Books Online, where they list what's new in SQ Server 2012 security features:
https://technet.microsoft.com/en-us/library/42919d6c-1fd4-466e-ac75-d579248c07df(v=sql.110)
SQL Server 2008R2 simply didn't have user defined server level roles. For that feature, you'll need to upgrade to SQL Server 2012.
You asked for something authoritative, and the best answer there is good ol' Books Online, where they list what's new in SQ Server 2012 security features:
https://technet.microsoft.com/en-us/library/42919d6c-1fd4-466e-ac75-d579248c07df(v=sql.110)
Context
StackExchange Database Administrators Q#167862, answer score: 3
Revisions (0)
No revisions yet.