Minimum privileges to read SQL Jobs using SQL SMO - smo

I wrote an application to use SQL SMO to find all SQL Servers, databases, jobs and job outcomes. This application is executed through a scheduled task using a local service account. This service account is local to the application server only and is not present in any SQL Server to be inspected.
I am having problems getting information on job and job outcomes when connecting to the servers using a user with dbReader rights on system tables. If we set the user to be sysadmin on the server it all works fine.
My question to you is: What are the minimum privileges a local SQL Server user needs to have in order to connect to the server and inspect jobs/job outcomes using the SQL SMO API?
I connect to each SQL Server by doing the following:
var conn = new ServerConnection
{
LoginSecure = false,
ApplicationName = "SQL Inspector",
ServerInstance = serverInstanceName,
ConnectAsUser = false,
Login = user,
Password = password
};
var smoServer = new Server (conn);
I read the jobs by reading smoServer.JobServer.Jobs and read the JobSteps property on each of these jobs.
The variable server is of type Microsoft.SqlServer.Management.Smo.Server.
user/password are of the user found in each SQL Server to be inspected.
If "user" is SysAdmin on the SQL Server to be inspected all works ok, as well as if we set ConnectAsUser to true and execute the scheduled task using my own credentials, which grants me SysAdmin privileges on SQL Server per my Active Directory membership.
Thanks!

Just been through this myself.
From SQL Books Online, here's what I found out...
To get or set Job object properties,
users must be a member of the
SQLAgentUserRole database role on the
MSDB database, or be the owner of the
job, or be a member of the sysadmin
fixed server role.
To create a job, users must be a
member of the SQLAgentUserRole,
SQLAgentReaderRole, and
SQLAgentOperatorRole database roles on
the MSDB database, or be a member of
the sysadmin fixed server role.
To drop a job, users must be a member
of the SQLAgentUserRole database role
on the MSDB database, or be the owner
of the job, or be a member of the
sysadmin fixed server role.

Related

Access remote database federation DB2

I have 2 systems. system A and system B and both are DB2 servers. I want to be able to access system B database from system A. Both have a database called TESTDB. I am trying to run the following command to create a server.
CREATE WRAPPER "drdawrapper"
LIBRARY 'libdb2drda.so'
OPTIONS (DB2_FENCED 'Y'
);
db2 "CREATE SERVER "PRD_SERVER_SSL_FLEX" TYPE DB2/UDB VERSION '11' WRAPPER "drdawrapper" AUTHORIZATION "xyz" PASSWORD "xyz" OPTIONS (DB2_CONCAT_NULL_NULL 'Y',DB2_VARCHAR_BLANKPADDED_COMPARISON 'Y',DBNAME 'TESTDB',HOST '169.62.253.230',NO_EMPTY_STRING 'N',PORT '50001',SECURITY 'SSL',STRING_UNITS 'S');"
But I keep getting:
DB21034E The command was processed as an SQL statement because it was not a
valid Command Line Processor command. During SQL processing it returned:
SQL1101N Remote database "TESTDB" on node "<unknown>" could not be accessed
with the specified authorization id and password. SQLSTATE=08004
Node directory:
db2 list node directory
Node Directory
Number of entries in the directory = 1
Node 1 entry:
Node name = TESTNODE
Comment =
Directory entry type = LOCAL
Protocol = TCPIP
Hostname = 123.21.23.12
Service name = 50001
The credentials are correct. I am not sure what node is it looking for. Any pointers?
Your question is more about configuration than programming.
As you appear to be encrypting the federated connection it can be wise to first verify that the encrypted connection works at the command-line, separately from federation. This irons out a lot of the detail and is easier to troubleshoot. After you get that working, you can then begin on encrypting the federated connection.
Please follow the detailed instructions here (choose the correct Db2-version):
You have to know in advance which kind of SSL/TLS trust verification you want (i.e. either single cert (client trusts the server - simplest and easiest), or multiple certs (both sides trust the other - more setup, arguably more secure), because this determines the configuration.
Ensure both of your Db2 instances and databases are properly configured for SSL.
Catalog the remote-node locally with security SSL (db2 catalog tcpip node ... remote ... server ...security ssl)
Catalog the remote-database locally on the new node name (db2 catalog database ... at node ...) followed by db2 terminate .
Verify a command-line connect to the remote database using the federated credentials, using the configured db2dsdriver.cfg if using SSLSERVERCERTIFICATE method, or using the keystore/stash configuration ( db2 connect to remotedb user ... using ... ). Use the same userid/password that you will use later in the create server command.
Once that command-line connect works, you can proceed with the encrypted federation link, via db2 create wrapper... and db2 create server....
There's no need to use quotes around the wrapper name, just let it fold, otherwise quotes are just annoying redundant noise, although it is not a mistake.
Inside the script for create server command options instead of AUTHORIZATION "xyz" PASSWORD "xyz" use AUTHORIZATION \"xyz\" PASSWORD \"xyz\" (i.e. escape the quotes).
For one-sided trust, use SSL_SERVERCERTIFICATE in the create server options clause and ensure the value is accurate (fully qualified path to the remote-db2instance-certificate-file), and that the file/directory permissions are valid.
For mutual trusts, use both SSL_KEYSTORE and SSL_KEYSTASH keywords with correct values, in the create server options clause (having previously ensured your keystores are properly populated, as verified by a command-line connect above).
You may also want to consider create user mapping depending on the requirements.
Finally you can create your nicknames, and test out the federated link by querying those nicknames.

Unable to Create Active Directory user group in Azure SQL using PowerShell

I am trying to add active directory user group to azure sql databases through PowerShell, but unable to do so. I am using SQL administrator login to achieve it. When i execute my code it gives me below error.
Principal 'abc' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
When I use my active directory account to create users it then gives me below error.
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Cannot open server "domain name" requested by the login. The login failed..
Azure SQL does not support AD integration, Only supports Azure Active Directory and SQL authentication. If there is need for AD integration then choose one of the following option:
SQL Server on VM - Unmanaged SQL server with full access to SQL instance.
Federated authentication with ADFS infrastructure, refer to the documentation https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview

dblink from remote server into a Google Cloud SQL instance using .pgpass

I'm trying to connect to a Google Cloud SQL instance using dblink, which works well when setting up my username and password in the connection string, but I would like to save my Client credentials in the SQL instance not to have the need to explicitly put my password in the connection.
The .pgpass file which will used is the one that belongs to the OS user which is running the local database ('~/postgres/.pgpass', in most cases). And then for security reasons, it works only if you are locally a superuser. Can you meet those criteria?
but I would like to save my Client credentials in the SQL instance
What does "SQL instance" mean? I would not think that .pgpass would count as being inside the SQL instance.
An alternative solution is create a foreign server with "postgres_fdw". This doesn't seem to be documented (edit: it is documented here, but uses dblink_fdw not postgresql_fdw), but you can pass the name of a "postgres_fdw" foreign server (in single quotes) to dblink functions as the connection string. It will then pull the password to be used from the USER MAPPING for that server and user. I would think the USER MAPPING counts as inside the "SQL instance".

Informatica DB2 DSN not working in Designer

I am trying to connect to DB2 database to import source structure. I tried using ODBC DB2 Wire Protocol Driver Setup. I provided IP Address, TCP Port, Location ( DB2 to Z/OS and Iseries), but when I click on test connection I get below error:
[Informatica][ODBC DB2 Wire Protocol driver][DB2]NULLID.DDOS510A DOES NOT HAVE PRIVILEGE TO PERFORM OPERATION PACKAGE ON THIS OBJECT.
Same method I tried in lower environment of DB2 and connection works. but in higher environment I get this error. ( I verified login in the database directly and my user id has login access).
This is not a programming question, it is about configuration.
The reason that it works on one database, but fails on another, is because only one of the databases has the correct permissions.
Ask the DBA to grant relevant privileges to the userid at the database.
You will find more details at the following IBM technote and also at here.

DB2 ODBC Connection String without Database Name

I am trying to connect DB2 Server with ODBC, which is working fine if I specify Database in connection string.
driver = 'IBM DB2 ODBC DRIVER'
server = '10.30.30.114'
port = '50000'
protocol = 'TCPIP'
database = 'SAMPLE'
user = 'administrator'
pass = 'password'
DBI.connect("DBI:ODBC:Driver=#{driver};HostName=#{server};Port=#{port};Protocol=#{protocol};Database=#{database};Uid=#{user};Pwd=#{pass};")
The issue is I will not be knowing the database name in advance at the time of connecting to the server. I want the list of databases on the server and then tables in those databases, how should I approach?
You cannot "connect to a DB2 server" via ODBC; you can only connect to a database, for which you obviously need to specify the database name. You could use the DB2 C/C++ API calls db2DbDirOpenScan and db2DbDirGetNextEntry to list the database directory, but this code will need to be executed on the server itself, otherwise it will attempt to list the database catalog on the client machine.
IF you are connecting to DB2 for i server (formerly DB2 UDB on OS/400) --
Initially connect using hostname, allowing database to default. You can then get a list of databases in the DB2 for i SYSCATALOGS view. Your query might look like this:
SELECT catalog_name, -- database name
catalog_text -- DB description
FROM QSYS2.SYSCATALOGS
WHERE catalog_type='LOCAL' -- local to that host
AND catalog_status='AVAILABLE' -- REMOTE catalogs are 'UNKNOWN' status
You could then connect to that database if . Once connected to the appropriate database, you could query other DB2 for i catalog views such as SYSSCHEMAS and SYSTABLES. ODBC/JDBC Catalog views and ANS/ISO Catalog views would also be available.
Other API's are available outside of an ODBC connection via IBM i Access, if you prefer.