You are here: Home > Configuration
Archive | Configuration RSS feed for this section

Automation: Granting Read Perms for Developers

by on August 16, 2010

Yeah, you heard me.

Do you like to read?

“But Kendra, why would we want to grant developers read  permissions? And why would we automate  it? And at what point did you lose your mind?”

Well, Virginia, there may or may not be a Santa Claus, but there are a lot of developers and good reasons to give them read access on many SQL Server instances. In my world, it’s every instance in the pre-production environment, which is a couple  hundred and growing. And it ain’t just read they’re needing, they should be empowered with all of:

  • In master: View server state– so they can look at all those pesky spids they can block, and which may be causing problems they’re investigating.
  • In msdb:
    • db_datareader — so they can query things not easily seen through the GUI
    • SQLAgentReaderRole — so they can look at currently executing jobs and history through the GUI
  • In each user database:
    • db_datareader — for troubleshooting, troublemaking, and general read-i-ness
    • view definition — so they can see what they’re dealing with
    • showplan — so there ain’t no excuse if they’re causing issues, and also to help further with the troubleshooting

And of course a user needs to be created in msdb and the user databases for this all to work out. Things to look out for: SQL Server will let you create a login and apply database level permissions with T-SQL without the user being created, but then you’ll find it doesn’t work.

When you’re dealing with a large pre-production environment and a large group  of developers (> 75 total) who periodically change roles, this permission set can be a bit complicated to manage.

How I Rigged this Up

In my implementation, this script is in a job on an MSX master server, and our server build steps for pre-production servers include configuring  the instance as a TSX subscriber and adding the job. The job is scheduled to run daily, so if new databases are created, restored, or dropped and recreated, permissions will automatically be re-applied. I like using the MSX  job for the implementation because it’s easy for our DBA team to see the job on the instance and see exactly what it does, and if there’s any reason to exempt an instance then that’s very simple to do.

So with this solution, I don’t have to worry about the mechanics of applying read permissions. I just have to worry about making sure the right people are in the active directory group, and I can pass that task on to their managers.

Important: Because of how our active directory and firewalls are configured, I do not have to worry about  this job being accidentally deployed to a production server and granting read where it should not. Something to think  about! Don’t automate yourself into security violations. This was another reason I chose the relatively “transparent” solution of an MSX subscriber job rather  than other solutions.

The Script

Disclaimer: This script was tossed together quickly. If you read the story above, you know I wasn’t even working on it for production. It supports windows groups only  in its current form. (Please don’t use sql authentication to grant read. Domain groups are so much more auditable and controllable!) It grants permissions directly to a login and does not create a role in each database. This is for a good reason in my world, but the best practice is to create a role, so keep that in mind.

As always, test the stuffing out of this and edit as needed if you’d like to make use  of it. Continue Reading →

Comments { 2 }

Why To Do Some of the Grunt Work, Even If You Don't Have To

by on July 1, 2010

Part of this past week I’ve spent doing a new SQL Server 2008 R2  installation and configuration on a Windows 2008 R2 cluster. I  haven’t done an install end-to-end in quite a while– I have teammates who take care of it while following our installation checklist document.

I started doing the install and configuration myself because I want to create fresh unattended install files, which I will later turn into slipstream drops. (For more on my love of slipstream installs, see the post here.) I will also be branching the install document soon to create a new version for SQL 2008 R2. Although the install for R2 isn’t very different, many of the paths used for copying files and a few scripts change, so  it’s less confusing in a separate document. In preparation for branching the file, I thought it would be good to give the 2008 install document itself a spring cleaning to clear up anything misleading.

Oh, Wouldya Look at That…

Cleanup on Aisle 7

This was an interesting experience. Although everything technically worked, some cleanup was needed on Aisle Seven.

The checklist is in a Word document so it can be filled out and saved in a history folder on SharePoint each time it used. In a recent past life this was all in a wiki, however. The wiki-to-SharePoint conversion was a shared project on a tight timeline and a lot of copy’n'paste was needed, so some of the fOrMatTing waS nOT wHat YoU’D eXpecT  <WEIRD WIKITAG HERE>

Some steps were in a slightly strange order, so you were over here in PowerShell, now over here in SQL, now back to PowerShell, now  reboot! Reboot! Reboot!  Now check out your page file. Run another PowerShell script! Hey did you forget about the other nodes in the cluster, this step finally mentions them– let’s go back and do all those again on the other node, hmm?

I also found that lo and behold, there were some steps I’d kinda forgotten about. Sure, I know this stuff, I’m not a complete goofy panda a trained professional. I have lots of experience!  But that’s sort of the problem. I have lots of experience and while I can synthesize gobs and gobs of it into a cohesive picture, there’s certain details I end up forgetting if I don’t work with them for a very long time.

And yes, GOBS is the technical unit for DBA experience. It’s like how large volumes of data appear in WADS.

What I’m Sayin

I re-learned that it’s important to occasionally revisit and improve things you already know how to do.  Especially if you’ve delegated these tasks to others, you may not understand them as clearly as you’d like to think. Maybe you’ve learned things recently that allow you to streamline the tasks and make them easier, too.

But most importantly, it’s key to understand the full details of your environment’s configuration. Knowing how something is set up will save a ton of time when you need to troubleshoot it. Besides time being money, it’s YOUR time, and that’s what you want more of, right?

Comments { 0 }

DBA Checklists: Check out Free OneNote in Office Live

by on June 21, 2010

Why DBAs Will Love OneNote

OneNote in Office online makes it easy to create and share notebooks with many checklists. The checklists include version tracking.

DBAs tend to use and share a lot of checklists– things like installation and configuration sequences, patching instructions, quarterly system review processes, change/deployment  plans, etc. Sequencing of tasks is important, and sharing status of the tasks easily is extremely helpful.

Essentially, to be successful as a DBA you need to be able to express and document processes simply in a way that others can understand, either for compliance reasons or so they can carry out the tasks themselves.

I use OneNote all the time at work for checklists and I don’t know what I’d do without it. It integrates beautifully with SharePoint 2010 and is great for collaborative checklists. It allows me to easily map out the steps for a project, hand off tasks to others, and share the status of the project. It’s invaluable for later answering the question, “why did we do that?”

Now OneNote 2010 is available online as part of Windows Office Live and is free to use. I highly recommend trying it out.

How to Try it Out

Go to http://live.com. If you have a Windows Live ID, go ahead and sign in. Otherwise, click ‘Sign Up’ and walk through the wizard to create a Windows Live ID.

Once  you’re signed in, click the Office option on the top menu.

This will take you to the Office page. Click the OneNote button on the right to create a new online document.

You’ll be prompted to name your notebook and save it. It will automatically save into your SkyDrive space and then open your new OneNote Notebook.

The Trick For CheckLists

I’m going to describe below how to get started with OneNote, but it’s pretty intuitive and I imagine most people will just give it a shot without reading everything here. That’s what I would do.

So I’ll just say now, the main thing you need to know is this:

All you have to do to create a checkbox is hit CTRL+1.  Doing it again will check the box. Doing it a third time will remove the box.

You can do this with the mouse from the ‘Tag’ menu on the ribbon bar as well, but it’s really fast to do with the keyboard and with a little practice it’s easy as pie. Tasty, tasty checklist  pie.

Sample OneNote Checklist

Continue Reading →

Comments { 1 }

Automating SQL Local Security Policy Rights: PoSH and NTRights

by on November 12, 2009

The Basics on Local Security Policy Rights and SQL Server…

There are a couple of local security policy rights that are not granted by default in SQL Server setup that I’ve been setting manually for a few years now:

  • Lock Pages In Memory
    • Allows large page allocation
    • Prevents the SQL Server process from being paged out
  • Perform Volume Maintenance Tasks
    • Instant initialization on data files

It’s a fairly click-heavy process to add the permissions for these through the Local Security Policy GUI. I prefer that these permissions be granted to the local security group for sql server that’s created in Windows, and that really requires a lot of clicks, unless you can remember and enter a group name like this without any typos:

SQLServerMSSQLUser$servername$MSSQLSERVER  or SQLServerMSSQLUser$servername$INSTANCENAME

By the way, what is up with using the $ in the group names?  If someone can tell me, I would love to know.

Why Not Just Grant these Rights to the Domain Service Account?

If your SQL Server service is running under a domain account, you can grant these privileges to that account and it will work. However, I prefer to grant it to the local group for SQL Services for two main reasons.

  1. If you change the account for SQL Server services, everything will still work. You can go to another domain account, network service, whatever, you won’t have to remember to check these permissions. (And you won’t remember until you’ve been bitten by it about 5 times.)
  2. It’s consistent with the way SQL Server grants permissions itself. (See the rights granted to the local groups here).

What about Clusters?

Well, so much for consistency– clusters do not use the local groups! For clustered instances, we grant the permission to the domain account.

Still, I prefer to be consistent with the way that the product grants the perms on standalone instances, and I have found instances where the service account was changed and the admins either were not aware they needed to grant these permissions or forgot.

Anyway, it Should be Easy!

I always figured there was an easy way to do this. And lo and behold, there is.

I have a project to build out some new pre-production servers right now, so as I’m walking through the build steps I am looking for ways to further automate our configuration. For these two rights, I did some searching and found that using NtRights.exe seems to be the easiest way to grant these permissions. Whenever people ask about editing local security policy with powershell, the response seems to be, “Why aren’t you using a GPO?”  But that wouldn’t work for this case.

NtRights.exe, which is a W2K3 resource kit utility (available here) was created for just these tasks, and I can call it from a PowerShell script anyhoo.

So here is the super-quick, super-dirty 1.0 version of granting these privileges. This version assumes you only have one sql instance installed on the box (which is how we roll in my current environment– otherwise you could pull them into an array and loop).  You can also use NTRights against remote machines, by the way, but you’d have to get the name of the Sql Server group a bit differently in that case. Or just use your domain account, I’m not going to judge you. ;)

In my case this is designed to be run post-setup when we’re logged into the box anyway, and the operator reviews the output. NTRights prints what it is granting and the outcome.

The Script

#copy ntrights.exe
Robocopy \\deployserver\shareWhereNtRightsLivesl\ d:\installDir ntrights.exe
D:
cd D:\installDir

#get the name of the sql server local group
$sqlgroup= net localgroup|findstr SQLServerMSSQLUser

#if we haven't found a group with this name, default to our service account (should be a cluster)
if (!$sqlgroup) {$sqlgroup=&quot;DOMAIN\SERVICEACCOUNT&quot;}

$sqlgroup=$sqlgroup.Replace(&quot;*&quot;,&quot;&quot;)

.\Ntrights -u $sqlgroup +r SeLockMemoryPrivilege
.\Ntrights -u $sqlgroup +r SeManageVolumePrivilege
Comments { 2 }