Solved

Modify SQL agent jobs without sysadmin

Posted on 2013-12-10
10
1,706 Views
Last Modified: 2013-12-25
We are using SQL server 2012 Standard Edition.

We have our development server where we do our research and development, before any process is deployed to production. These servers are managed by the DBA team. The DBA team does not want us to give sysadmin rights on the dev server. Right now the way the permissions are set up, we cannot modify or change schedule on any job without sysadmin rights. The DBA has mentioned that if we can suggest any way where we can do this without using sysadmin, they will let us do it.

Is there any way to be able to modify SQL agent jobs without having sysadmin rights?

Is there any way to be able to modify  schedule on SQL agent jobs without having sysadmin rights?

Thanks.
0
Comment
Question by:patd1
10 Comments
 
LVL 34

Assisted Solution

by:Brian Crowe
Brian Crowe earned 125 total points
Comment Utility
Taken from Microsoft Technet:

To configure a user to create or execute Microsoft SQL Server Agent jobs, you must first add an existing SQL Server login or msdb role to one of the following SQL Server Agent fixed database roles in the msdb database: SQLAgentUserRole, SQLAgentReaderRole, or SQLAgentOperatorRole.

By default, members of these database roles can create their own job steps that run as themselves. If these non-administrative users want to run jobs that execute other job step types (for example, SSIS packages), they will need to have access to a proxy account. All members of the sysadmin fixed server role have permission to create, modify, and delete proxy accounts. For more information about the permissions that are associated with these SQL Server Agent fixed database roles, see SQL Server Agent Fixed Database Roles.

Hope this helps,
0
 
LVL 69

Expert Comment

by:ScottPletcher
Comment Utility
>>
Is there any way to be able to modify SQL agent jobs without having sysadmin rights?
Is there any way to be able to modify  schedule on SQL agent jobs without having sysadmin rights?
<<

Not directly, unless you own the job.  None of the Agent roles will give you that authority on existing job(s) that you do not own.
0
 

Author Comment

by:patd1
Comment Utility
We can create/modify our own jobs. But the problem is this:

We are 3 people in a team. Each one of us should be able to modify all jobs (not just our own) on dev server. So we create the jobs under sysadmin and we use sysadmin login to modify or change schedule on those jobs. THE DBA wants us to find another way where we should be able to modify jobs or change schedule on all jobs without using sysadmin. There is no one else other then us three who uses this database server.

The DBA mentioned that there may be a third party tool that works like SQL agent that may allow us to do this, but was not clear on what third party tool.

Thanks.
0
 
LVL 69

Assisted Solution

by:ScottPletcher
ScottPletcher earned 125 total points
Comment Utility
The DBA could give you the SQLAgentOperatorRole.  That would allow you to view all jobs.

The DBA could (at least in theory) also:

1. create a new, different user that has sysadmin authority,
2A.  create a proc in msdb that execs as the new sysadmin user,
2B.  give you EXEC permission on that proc.  That proc would take parameters identical to sp_update_job and sp_update_jobschedule, and it would call those procs for you.  This should work for any job, since the proc is executing as sysadmin.
0
 

Author Comment

by:patd1
Comment Utility
We can view all jobs and also right click execute job.

The problem occurs when we want to modify the jobs or change schedule on those jobs that are not created under our own authentication.

The DBA will not give us any user that has sysadmin authority.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:patd1
Comment Utility
Is there a third party tool that gives us this facility of creating/modifying/scheduling jobs, track history (basically some tool similar to sql agent), that can use a service account with sysadmin authority behind the scenes, where we can have users who can add create modify all jobs?
0
 
LVL 69

Expert Comment

by:ScottPletcher
Comment Utility
I'm not aware of such a tool.  Then again, you don't really such a tool.  It would likely do under the covers what I described above, that your own DBA could do.  Although it might put a "cute" GUI over the final result so you don't have to directly call a stored proc.
0
 
LVL 10

Assisted Solution

by:Banthor
Banthor earned 125 total points
Comment Utility
Have your DBA Team create a Service account in the environment with 'SQLAgentUserRole' permissions on the servers.

Create a Job that runs every 5 minutes or so that runs a CmdExec or Powershell script containing your changes from your share.

Put all the changes needed in that script.


> The scope of permissions is limited to Service account as far as your access. The jobs may do anything.
> As a dba, I would not allow this either but it may be a compromise you can work through.
In the past I have provided a Simple Web based UI to allow users to request jobs to be run at a time or on demand. Then user one Agent Job to execute one job a time.

Best Practice would be to have all your work in SSIS Packages, Validated by Test and Then sent to the DBA's to be Scheduled.

All Environments are different.
0
 
LVL 42

Accepted Solution

by:
EugeneZ earned 125 total points
Comment Utility
as per above post
the SQLAgentOperatorRole  msdb role should be good for you without being sa with some limitations,
for the rest jobs management ask DBAs
more:
SQL Server Agent Fixed Database Roles
http://technet.microsoft.com/en-us/library/ms188283.aspx
0
 

Author Closing Comment

by:patd1
Comment Utility
We had another DBA look at our problem, he created a new sql user account, not sure with what permissions, but it allows us to modify, re-schedule jobs.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

I wrote this interesting script that really help me find jobs or procedures when working in a huge environment. I could I have written it as a Procedure but then I would have to have it on each machine or have a link to a server-related search that …
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now