The EXECUTE permission was denied on the object 'sp_ssis_addlogentry'

"The EXECUTE permission was denied on the object 'sp_ssis_addlogentry', database,.
I am able to execute package via VS SSIS studio, however, when I deploy the same package in SSIS agent it say's me above error.
Could you please help me in that. 

Hi BhavSAn,
Based on the error message, we can infer that the account that execute the package via SQL Agent job has insufficient permissions to execute the package.
It seems that you are use different accounts to execute the package in SSDT and SQL Agent job. When we run an SSIS package within an SQL Server Agent Job, the job step by default runs under SQL Server Agent Service Account. By default, SQL Server Agent Service
uses the NT Service\SQLSERVERAGENT account. While it only has the following permissions granted by SQL Server Setup:SeServiceLogonRight, SeAssignPrimaryTokenPrivilege, SeChangeNotifyPrivilege and SeIncreaseQuotaPrivilege.
To fix this issue, we can grant execute permission to the account that execute the job or create a SQL Server Agent proxy account. This proxy account must use a credential that lets SQL Server Agent run the job as the account that created the package or
as an account that has the required permissions.
References:
GRANT Object Permissions (Transact-SQL)
Running a SSIS Package from SQL Server Agent Using a Proxy Account
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support

Similar Messages

  • The EXECUTE permission was denied on the object 'proc_FetchDocForUpdate'

    I occasionally see this error message
    Source: Windows SharePoint Server
    Category: Database
    Event ID: 5214
    Insufficient SQL database permissions for user '(web application pool account)’ in database 'SharePoint_AdminContent_' on SQL Server instance '(servername)'. Additional error information from SQL Server is included below.
    The EXECUTE permission was denied on the object 'proc_FetchDocForUpdate', database 'SharePoint_AdminContent_', schema 'dbo'.
    I found some posts about granting account dbowner right or directly grant Execute permission and they don’t sound very good options.
    Do you have ideas of what caused this and how to fix this?
    Thanks

    Hi guys,
    I have the same error, but now I can reproduce it easily (but I don't now why):
    1.- Go to a site with a document library
    2.- Right click over a FOLDER and select "save shortcut" (or something similar, I have OS in Spanish)
    3.- Open a new outlook message (or word document, etc) and insert an hyperlink. In the Address box of the dialog window paste the shortcut. The problem is that the address box doesn't allow more than 255 characters, so the link is "broken".
    4.- Send the message or click over the new "broken" hyperlink and it sends you to an error page ("Cannot complete this action. Please try later."). There is a link that says something like: "Problem with the errors localizator with Windows SharePoint Services". If you click to see the HELP window: "voilà", the critical error returns to the log:
    "w3wp.exe (0x0FD4)                        0x0E30 Windows SharePoint Services    General                        8kh7 High     Cannot complete this action. Please try later. 
    w3wp.exe (0x0FD4)                        0x0FE0 Windows SharePoint Services    Database                       6lcf Critical Insufficient SQL database permissions for user 'MOSS_WEBAPPxxx' in database 'SharePoint_AdminContent_xxxxx' on SQL Server instance 'SQLServerxxxx'. Additional error information from SQL Server is included below.  The EXECUTE permission was denied on the object 'proc_FetchDocForUpdate', database 'SharePoint_AdminContent_xxxxx', schema 'dbo'.  "
    It seems that it only happens in one of may Web Apps so I'll look for the differences. I hope it could be useful.
    Ciao.
    06/oct/09 - MORE NEWS
    - The link that reproduces the error appears if in the web.config of the web app:
          1. CallStack = false
          2. The "GlobalErrorHandle" line is commented
    Today it was "solved"???:
    - In the SQL Server we give "db_datareader" permission in the SharePoint_AdminContent_xxxx DB to the MOSS_WEBAPP_xxx user. We repeated the prove and the error had disappeared. Then we removed the "db_datareader" permission for MOSS_WEBAPP, and the error continued missing, so now we don't get this error anymore... but I don't know why (MOSS = X-file). Maybe tomorrow this error will return.
     13/oct/09 - AND MORE...
    - URL used to reproduce the error: http://server:port/_layouts/help.aspx?Lcid=1027&Key=WCMNavigationInheritance.com
    If we add the Execute Permission to the rol WSS_Content_Application_Pools over the SharePoint_AdminContent_xxxx DB then the error returns for other stored procedures or views. The complete list is:
    - proc_FetchDocForUpdate
    - proc_GetWebMetaInfo
    - proc_UpdateDirtyDocument
    - proc_UpdateListItem
    - and the view: UserData (need "Select" access)
    but again if instead of giving individual permissions we give the db_owner rol to the WEB_APP user, repeat the test and eliminate the db_owner rol for this user, then the error disappears ... ???? 

  • PowerPivot 2012 Error: BaseWorkbook.CacheStream: Failed to read from stream. Error was: System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'proc_FetchChunkFromDocStreams', database 'SharePoint_AdminContent'

    Hi, I have setup PowerPivot 2012 for SharePoint, but when I access'PowerPivot Management Dashboard' in Central Admin I get error message 'An error has occured'
    Below is the error in the ULS,
    Background file fill operation caught exception: System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'proc_FetchChunkFromDocStreams', database 'SharePoint_AdminContent_ca021d58-ef1f-4f30-9aeb-6f24db24862b', schema 'dbo'.  
     at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)    
     at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)    
     at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)    
     at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()    
     at System.Data.SqlClient.SqlDataReader.get_MetaData()    
     at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)    
     at System.Data.SqlClient.SqlCommand.CompleteAsyncExecuteReader()    
     at System.Data.SqlClient.SqlCommand.InternalEndExecuteReader(IAsyncResult asyncResult, String endMethod)    
     at System.Data.SqlClient.SqlCommand.EndExecuteReader(IAsyncResult asyncResult)    
     at Microsoft.SharePoint.CoordinatedStreamBuffer.AsyncSqlSession.EndExecuteReader(IAsyncResult ar)    
     at Microsoft.SharePoint.CoordinatedStreamBuffer.SPBackgroundSqlFileFiller.OnReadComplete(IAsyncResult result)
    BaseWorkbook.CacheStream: Failed to read from stream. Error was: System.Data.SqlClient.SqlException: The EXECUTE permission was denied on the object 'proc_FetchChunkFromDocStreams', database 'SharePoint_AdminContent_ca021d58-ef1f-4f30-9aeb-6f24db24862b',
    schema 'dbo'.    
     at Microsoft.SharePoint.CoordinatedStreamBuffer.SPBackgroundFileFiller.Fill()    
     at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBuffer.WaitForIntervalFill(SPInterval i)    
     at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedMemoryStream.Read(Byte[] array, Int32 offset, Int32 count)    
     at Microsoft.SharePoint.SPFileStream.Read(Byte[] buffer, Int32 offset, Int32 count)    
     at Microsoft.Office.Excel.Server.CalculationServer.BaseWorkbookManager.CacheStream(CachedFile cachedFile, FileLoader loader)
    Regards,
    Ayaz
    SharePoint Architect

    Hey Ayaz,
    I do had the same error message when I click on "PowerPivot Management Dashboard". After few research I resolved this issue.
    You need to provide the dbReader and dbWriter permission to powerpivot app pool account at "SharePoint_AdminContent_ca021d58-ef1f-4f30-9aeb-6f24db24862b"
    Have a great day :-)
    Santosh sethi

  • Enable-CsUser : The EXECUTE permission was denied on the object 'XdsPublishItems', database 'xds', schema 'dbo'

    I have created a PowerShell script that automates enabling users for Lync and setting policies based on group membership. I've successfully tested this script under my domain admin account and now I am working on getting it running as a scheduled task.
    Since all the script really does related to Lync is run the commands Enable-CsUser, Set-CsUser, and Grant-Cs<policy name>Policy, I elected to create a service account that only has Lync user administration permissions.  Initially, this user account
    was just a member of CSUserAdministration but this was not working so I added the user to RTCUniversalUserAdmins based on some other information I found.
    This change got me by the various access denied errors I was getting in the script, but now I am getting the following error when I run the Enable-CsUser part:
    Enable-CsUser : The EXECUTE permission was denied on the object 'XdsPublishItems', database 'xds', schema 'dbo'.
    At line:1 char:1
    + Enable-CsUser -Identity <redacted> -RegistrarPool <redacted> - ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Enable-CsUser], SqlException
    + FullyQualifiedErrorId : System.Data.SqlClient.SqlException,Microsoft.Rtc.Management.AD.Cmdlets.EnableOcsUserCmdl
    et
    This seems to be some sort of permission error related to the permissions on the SQL database "xds".  I checked, and RTCUniversalUserAdmins is a member of both CsUserAdministration and RTCUniversalReadOnlyAdmins.  This latter group does
    have permissions on the xds database.  It appears to be granted the "public" role on the database server.  The User Mapping shows the following users mapped to the login:
    cpsdyn: public,ReadOnlyRole
    lis: public,ReadOnlyRole
    rgsconfig: public,ReadOnlyRole
    rgsdyn: public,ReadOnlyRole
    rtcxds: public,ConsumerRole
    xds: public,ConsumerRole
    Even though I receive this error, the user is actually added to Lync. Follow-up Set-CsUser and Grant-Cs<policy name>Policy cmdlets succeed just fine.
    What do I need to do to fix this error message?

    The issue is not related to UAC / Run As Administrator / Run With Highest Privileges.  I have verified that accounts granted only the CS User Administrator role simply do not have access to the XdsPublishItems stored procedure in the Lync xds database,
    even if they are members of RTCUniversalUserAdmins.
    Also, it does not have anything to do with my script.  Even if I grant my service account that local Administrator rights on the Lync front-end server, log into the server with that account, and run the Lync Server Management Shell as administrator
    and then do just the Enable-CsUser cmdlet (not my whole script), I get the same error.
    I ended up opening a Microsoft support case (#114040311332658) and it has been going on for weeks now.  Eventually they just told me that I needed to either have my script establish a remote PowerShell session to Lync or install the Lync management
    tools on another server and have the script call the Lync Server Management Shell from that server.  They say this because the Planning for Role-Based Access Control documentation (http://technet.microsoft.com/en-us/library/gg425917.aspx)
    has the following tip:
    "RBAC restrictions work only on administrators working remotely, using either the Lync Server Control Panel or Lync Server Management Shell. A user sitting at a server running Lync Server is not restricted by RBAC. Therefore, physical security of your
    Lync Server is important to preserve RBAC restrictions."
    I did attempt to run a PowerShell instance on my workstation as the service account, establish a remote PowerShell session to the Lync front-end server, and then run Enable-CsUser and I can confirm that it does run successfully and I do not receive an error
    of any kind.
    I told the support personnel that the tip stating that RBAC doesn't actually restrict permissions if running PowerShell on the server itself doesn't mean that you simply cannot run PowerShell cmdlets and scripts on the server, it just means that the user
    running the cmdlet or script won't have their accessible cmdlets limited to only those granted to the role assigned.  I told them I want a description of what the XdsPublishItem stored procedure does at a high level so I can determine if the error can
    just be simply ignored in this case.  I'm still waiting for them to get back to me on that.
    They did say they tested it on their end and confirm the same behavior in their test environment.  They also said that it doesn't seem to have any sort of negative impact on the functionality of the enabled Lync user or the consistency of the SQL database. 
    That said, I don't want to just take their word for it without them knowing what XdsPublishItem does.

  • Get The EXECUTE permission was denied on the object 'sp_send_dbmail', database 'msdb', schema 'dbo', even when user has permissions

    I get the error message:  The EXECUTE permission was denied on the object 'sp_send_dbmail', database 'msdb', schema 'dbo'.  This happens when I run a job, even though the user has the correct permission on sp_send_dbmail and is a user in msdb.
    If I run the procedure through SSMS it runs just fine and sends the mail.
    I have run out of things to look for, any ideas on what else it could be?
    Thanks in advance,
    Nancy

    To send Database mail, users must be a user in the msdb database and a member of the
    DatabaseMailUserRole database role in the msdb database. To add
    msdb users or groups to this role use SQL Server Management Studio or execute the following statement for the user or role that needs to send Database Mail.
    EXEC msdb.dbo.sp_addrolemember @rolename = 'DatabaseMailUserRole'
    ,@membername = '<user or role name>';
    GO
    http://technet.microsoft.com/en-us/library/ms188719(v=sql.105).aspx
    Regards, RSingh

  • The EXECUTE permission was denied on the object 'ManagedEntityTypeGetBySystemName', database 'OperationsManagerDW', schema 'dbo

    hey all
    i'm getting the above error when trying to run certain reports in scom 2012. i know there are similar issues and kevin holman has blogged about something similar. but i have permissioned the reader account appropriately and still no luck (have read http://skaraaslan.blogspot.be/2011/10/opsmgr-mp-update-new-base-os-mp-6069570.html).
    reader account already has execute permissions on the relevant sp's.
    i have reinstalled reporting services, as a test also given the reader account dbo access on the dw db, and ended up trying to give it admin access both at the sql and windows level - made no difference. some reports work fine, alot dont (eg all the w2k8
    reports).
    so i'm pulling whats left of my hair out with this one - anyone have any ideas?
    thx.

    Hello!!!
    I too am getting this error since I had upgraded to 2012 R2.  It appears that when you select "Add Group" or "Add Object" you get this error.
    What I have done:
    Uninstalled Report Services SCOM Report and Web applications
    Renamed the ReportServices folder so reinstalling a fresh Report Services DB
    Checked to make sure the ReportServices service has the correct permissions on OperationsManagerDW, ReportServer and reportServerTempDB
    Ran a SQL command to see if the service had the correct permissions.  See below (And it does)
    SQL_STORED_PROCEDURE
    ManagedEntityGetWithRowId
    EXECUTE
    GRANT
    OpsMgrReader
    Error
    Permissions:
    What Else can it be to cause this issue?
    Thanks!

  • EXECUTE permission was denied on the object 'proc_putObjectTVP'

    Today I have seen the following error on one of my SharePoint servers.
    The EXECUTE permission was denied on the object 'proc_putObjectTVP', database 'SharePoint_Config', schema 'dbo'.
    The account that was denied EXECUTE permissions is the Service Application App Pool account.
    Having googled the problem - most posts seem to suggest manually granting execute rights to the WSS_Content_Application_Pools role on the SharePoint_Config database to the following stored procedures:
    [dbo].[proc_putObjectTVP]
    [dbo].[proc_putObject]
    [dbo].[proc_putDependency]
    However it seems odd that there is not a SharePoint way to do this rather than modifying SQL permissions via SQL Management Studio. Has anyone else encountered this problem and is there a SharePoint way to fix it?
    I should add that Microsoft say this about Service and other Application Pool accounts:
    "This account is assigned to the WSS_CONTENT_APPLICATION_POOLS role associated with the farm configuration database."
    https://technet.microsoft.com/en-us/library/cc678863%28v=office.15%29.aspx#Section3

    Hi,
    From your description, you might find error 5214 in event log, one or more of the following might be the cause:
    The service account to which SharePoint is set does not have sufficient permissions to the database to which it is trying to connect.
    The service account is not set up properly in SharePoint.
    When using least privilege setup of the Farm.
    Please perform the steps below and test the issue again:
    1. Expand Databases then expand the SharePoint_Config Database.
    2. Expand Security -> Roles -> Database Roles
    3. Find WSS_Content_Application_Pools role, right click it, and select Properties
    4. Click on Securables and click Search
    5. Next click Specific objects and click OK
    6. Click Object Types and select Stored Procedures. Click OK
    7. Add the Stored Procedure 'proc_putObjectTVP' and click OK (if it does not automatically grant it exec permission; you need to click the checkbox on "execute" and save it)
    Regards,
    Rebecca Tu
    TechNet Community Support

  • The execute permission was denied

    Hi we are running ssis packages from Integration server, we got this error. Please review the error message and tell me how to troubleshoot this issue.
    Thanks
    DBA

    Hi DBA,
    Just as the error message said ”The EXECUTE permission was denied on the object ‘HyperonExtract_Current’, database ‘xxxx’, schema ‘hyp’.”, the current use does not have permission to execute on the object ‘HyperonExtract_Current’, database ‘xxxx’, schema
    ‘hyp’.
    To fix this issue, please grant the execute permission to the user with the query below:
    USE xxxx;
    GRANT EXEC ON hyp.HyperonExtract_Current TO user
    References:
    GRANT System Object Permissions (Transact-SQL)
    The EXECUTE permission was denied on the object ‘sp_start_job’, database ‘msdb’, schema ‘dbo’.
    Thanks,
    Katherine Xiong
    Katherine Xiong
    TechNet Community Support

  • Search account got - Insufficient sql database permissions for user. EXECUTE permission was denied on the object proc_Gettimerrunningjobs

    Dear all,
    I am troubleshooting a critical error showed up on Event log.  It said:
    Insufficient sql database permissions for user 'Name:domain\wss_search ....... EXECUTE permission was denied on the object 'proc_GetTimerRunningJobs', database 'SharePoint_Config', schema 'dbo'
    domain\wss_search is the default content access account. According to
    http://technet.microsoft.com/en-us/library/cc678863.aspx I should not grant it the Farm Administrators permission.
    In the Search Center I am able to search out documents as expected so I think the search service is fine.   However I have no clue why this account is trying to access 'proc_GetTimerRunningJobs'.
    Mark

    Hi Mark,
    This issue was caused by the search account’s permission. For resolving your issue, please do as the followings:
    Expand your SharePoint Configuration database 'SharePoint_Config' and navigate to ‘proc_GetTimerRunningJobs’ under Programmability ->Stored Procedures
    Right-click proc_GetTimerRunningJobs and choose Properties
    Click on Permission on the left launch
    Select the Search button and browse for ‘WSS_Content_Application_Pools’
    Provide ‘Execute’ permissions for ‘WSS_Content_Application_Pools’
    Click OK
    Here are some similar posts for you to take a look at:
    http://adammcewen.wordpress.com/2013/03/01/execute-permission-denied-on-sharepoint-config-db/
    http://technet.microsoft.com/en-us/library/ee513067(v=office.14).aspx
    I hope this helps.
    Thanks,
    Wendy
    Wendy Li
    TechNet Community Support

  • The SELECT permission was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)

    I have created a user and given him the owner rights for the database.  Though I can LogIn as the user, I cannot access the databases.  I am having the error mesage:
    Failed to retrieve data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)
    For help, click:
    http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&LinkId=20476
    ADDITIONAL INFORMATION:
    An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
    The SELECT permission was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
    For help, click:
    http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=10.50.1600&EvtSrc=MSSQLServer&EvtID=229&LinkId=20476
    Sha_woop

    Since there are so many possibilities for what might be wrong.  Here's another possibility to look at.  I ran into something where I had set up my own roles on a database.  (For instance, "Administrator", "Manager", "DataEntry", "Customer",
    each with their own kinds of limitations)  The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted).  Also, the users that
    were being added were Windows Domain users--using their domain credentials.  (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access to change it.)
    Anyway, this working system suddenly stopped working and I was getting error messages similar to the above.  What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions to
    all of the roles that I had created.  I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
    So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
    Roles\public".  Right-click on "public" and select "Properties".  In the "Database Role Properties - public" dialog, select the "Securables" page.  Go through the list and for each element in the list, come up with an SQL "Grant" statement to
    grant exactly that permission to another role.  So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege.  So, I added the following line:
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
    Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table.  This explicitly granted all the permissions of the "public" role to my database roles. 
    At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
    I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method. 
    In case it helps someone else, here's my code.
    CREATE PROCEDURE [dbo].[GrantAccess]
    AS
    DECLARE @AppRoleName AS sysname
    DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
    SELECT AppRoleName FROM [dbo].[RoleList];
    OPEN AppRoleCursor
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    WHILE @@FETCH_STATUS = 0
    BEGIN
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    END
    CLOSE AppRoleCursor
    RETURN 0
    GO
    Once that is in the system, I just needed to "Exec GrantAccess" to make it work.  (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
    So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them?  Was this part of an update to SQL Server 2008 R2?  Was it because I ran another script to delete each user and add them back so to refresh
    their connection with the domain?  Well, this solves the issue for now.
    One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here.  It's always possible something is different about your system.
    Hope this helps someone else.

  • Why The SELECT permission was denied on the object 'Facts', database

    What this error means?
    I have configured Data Source to use a specific Windows user name and password. The SQL database have the windows user account with db_owner rights.
    Error 11 OLE DB error: OLE DB or ODBC error: The SELECT permission was denied on the object 'Facts', database 'Customer_2011_CBA', schema 'dbo'.; 42000.
    Error 12 Errors in the OLAP storage engine: An error occurred while processing the 'Facts' partition of the 'Facts' measure group for the 'Customer 2011 CBA Cube' cube from the Customer Analysis Services 1 database.
    Kenny_I

    I'm beginning point:
    Error 11 OLE DB error: OLE DB or ODBC error: The SELECT permission was denied on the object 'Facts', database 'Customer_2011_CBA', schema 'dbo'.; 42000.
    Error 12 Errors in the OLAP storage engine: An error occurred while processing the 'Facts' partition of the 'Facts' measure group for the 'Customer 2011 CBA Cube' cube from the Customer Analysis Services 1 database.
    The Windows account do have right in the SQL Server->Object Explorer->Databases->'Customer_2011_CBA'->Security->The user->Properties->All server roles
    Kenny_I
    can you try your SQL account?
    If you think my suggestion is useful, please rate it as helpful.
    If it has helped you to resolve the problem, please Mark it as Answer.
    Sevengiants.com

  • The SELECT permission was denied on the object 'syscategories', database 'msdb', schema 'dbo'.

    Hi all,
    I have a single select statement to monitor JOB status at database msdb, it works perfectly at versions 2000, 2005 and 2008 but in version 2012 got denied access to views syscategories, sysjobactivity, sysjobhistory, sysjobs and sysjobsteps even having applied
    "grant select on" to user (principals) at database msdb.
    Anyone have seen this and found an solution?
    --- SQL Server Version
    Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
        Oct 19 2012 13:38:57
        Copyright (c) Microsoft Corporation
        Enterprise Edition: Core-based Licensing (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
    --- My Query
    set nocount on
    select x.job_name, x.job_status, x.monitor_status from (
    select j.name job_name
         , case
             when datediff(minute,s.login_time,current_timestamp) >= 8
                then 'In progress (more than 8h) '
             when datediff(minute,s.login_time,current_timestamp) >= 24
                then 'In progress (more than 24h) '
             else 'In progress'
           end job_status
         , case
             when datediff(minute,s.login_time,current_timestamp) >= 8
                then 8 -- 'In progress (more than 8h) '
             when datediff(minute,s.login_time,current_timestamp) >= 24
                then 9 -- 'In progress (more than 24h) '
             else 7 -- 'In progress'
           end monitor_status
      from sys.dm_exec_sessions s
             join msdb.dbo.sysjobs j
                on master.dbo.fn_varbintohexstr(convert(varbinary(16), j.job_id))COLLATE Latin1_General_CI_AI
                 = substring(replace(s.program_name, 'SQLAgent - TSQL JobStep (Job ', ''), 1, 34)
             inner join msdb.dbo.syscategories c
                on c.category_id = j.category_id
     where s.program_name like '%SQLAGENT - TSQL JOBSTEP%'
       and c.name like 'REPL-%'
    union all
    select j.name
         , case
              when datediff(minute,current_timestamp,ja.next_scheduled_run_date) <= -10
                 then 'Delayed'
              else
                 case jh.run_status
                    when 0 then
                       case when lower(left(j.name,8)) = 'uoldiveo'
                          then 'Failed (admin)'
                          else 'Failed'
                       end
                    when 1 then 'Succeeded'
                    when 2 then 'Retry'
                    when 3 then
                       case when lower(left(j.name,8)) = 'uoldiveo'
                          then 'Cancelled (admin)'
                          else 'Cancelled'
                       end
                    when 4 then 'In progress'
                 end
           end
         , case
              when datediff(minute,current_timestamp,ja.next_scheduled_run_date) <= -10
                 then 0 -- Delayed
              else
                 case jh.run_status
                    when 0 then
                       case when lower(left(j.name,8)) = 'uoldiveo'
                          then 1 -- 'Failed (admin)'
                          else 2 -- 'Failed'
                       end
                    when 1 then 3 -- 'Succeeded'
                    when 2 then 4 -- 'Retry'
                    when 3 then
                       case when lower(left(j.name,8)) = 'uoldiveo'
                          then 5 -- 'Cancelled (admin)'
                          else 6 -- 'Cancelled'
                       end
                    when 4 then 7 -- 'In progress'
                 end
           end
      from (msdb.dbo.sysjobactivity ja left join msdb.dbo.sysjobhistory jh on ja.job_history_id = jh.instance_id)
           join msdb.dbo.sysjobs j on ja.job_id = j.job_id
     where ja.session_id=(select max(session_id) from msdb.dbo.sysjobactivity where job_id = ja.job_id)
            and j.enabled = 1
            and jh.run_status <= 3
    ) x

    I was able to run the below without problems on SQL 2012:
    USE master
    CREATE LOGIN ove WITH PASSWORD = 'ÖLKJLKJ?="#'
    GRANT VIEW SERVER STATE TO ove
    go
    USE msdb
    go
    CREATE USER ove
    GRANT SELECT ON syscategories TO ove
    GRANT SELECT ON sysjobactivity TO ove
    GRANT SELECT ON sysjobhistory TO ove
    GRANT SELECT ON sysjobs TO ove
    GRANT SELECT ON sysjobsteps TO ove
    go
    EXECUTE AS LOGIN = 'ove'
    -- your query here
    REVERT
    go
    DROP USER ove
    go
    USE tempdb
    go
    DROP LOGIN ove
    Have you checked that there is no active DENY in force?
    Rather than granting these permissions, you could package this in a stored procedure that you signed with a certificate and then grant a login and user create from the certificate the required permissions. I discuss this technique in detail in an article
    on my web site:
    http://www.sommarskog.se/grantperm.html
    (But certs will not help you against DENY.)
    Erland Sommarskog, SQL Server MVP, [email protected]

  • EXECUTE permission was denied in sysdb database, schema 'ssma_oracle'.

    Hello,
    I have migrated a database from oracle to SQL server.
    After migration when I run a script on the migrated database,
    I get following error . The user with which I have migrated the database and I am running this script are same.
    Also I have given these 3 permissions on sysdb database to this user - public, db_datareader db_datawriter.
    Please let me know what am I missing?
    Msg 229, Level 14, State 5, Server SERVER5009\SQLEXPRESS, Procedure PROC_LOADTEST , Line 303
    The EXECUTE permission was denied on the object 'db_error_get_oracle_exception_i
    d', database 'sysdb', schema 'ssma_oracle'.
    Msg 229, Level 14, State 5, Server SERVER5009\SQLEXPRESS, Procedure ssma_rethr
    owerror, Line 1
    The EXECUTE permission was denied on the object 'ssma_rethrowerror', database 's
    ysdb', schema 'ssma_oracle'.
    Thanks a lot.

    Hi ManiC24,
    Msg 59999, Level 16, State 1, Procedure PROC_LOADTEST, Line 324
    SSMA Oracle exception emulation for [ORA-00001]
    As other post, the issue is related to Oracle. The number 59999 is used for all Oracle system, user-defined, or predefined exceptions.
    Based on my research, ORA-00001 is common when: "a program tries to insert a "duplicate" row in a table,"  and that, "when a unique constraint is violated the row is NOT added to the table. To overcome this error, either remove
    the unique restriction or do not insert duplicate
    key.
    Reference:
    http://www.dba-oracle.com/sf_ora_00001_unique_constraint_violated.htm
    Thanks,
    Lydia Zhang
    Lydia Zhang
    TechNet Community Support

  • SQLServer 2008 R2: The SCHEMA LOCK permission was denied on the object

    Hi all,
    I encounter the following error while developing a SSRS project that connects to a SQL Server Database view:
    "Msg 229, Level 14, State 71, Procedure sp_getschemalock, Line 1
    The SCHEMA LOCK permission was denied on the object 'Table4', database 'DBRemote', schema 'dbo'."
    That view uses a linked server to select data from a remote SQL Server Database (SQL Server 2005).
    There are no sql hints specified in my views
    My view T-SQL is:
    Select
    From linksv.DBRemote.dbo.Table1 T1
    Inner Join linksv.DBRemote.dbo.Table2 T2 On
      T1.fk1 = T2.pk1
    Inner Join view1 v1 On
      T2.fk2 = v1.pk2
    My t-sql for view1 is:
    Select
    From linksv.DBRemote.dbo.Table3 T3 
    Inner Join linksv.DBRemote.dbo.Table4 T4 On
      t3.fk1 = T4.pk1
    The object specified in error message above refers to Table "linksv.DBRemote.dbo.Table4" (see view above)
    SQL Server Permissions are set for all objects involved in the queries above.
    The funny thing is that the error occurs when I run my report from the report server webinterface
    and my report project is loaded in BIDS at the same time.
    The error occurs when I execute the query in SSMS 2008 and also when I run the query
    in BIDS 2008 Query designer.
    I also wondering why the error referes to the "linksv.DBRemote.dbo.Table4" remote object only
    but not to the other remote objects in that query.
    Im not sure where to look any further on what might cause this error.
    Appreciate any help very much.
    Thanks
    Bodo

    yes, this error happens because the login that is mapped on the second side of the linked-server is missing the read permission on the object. All queries done trhough linked-server will acquire a schema-lock just so that SQL can read the results correctly.
    I don't know exactly WHY it does it this way, but it does.
    to fix the error message, give the required permission to the login on the server that is target of the linked-server configuration - be it Windows Authentication, SQL Login, or connections "made using the logins current security context". The preferable
    way is to map 1-to-1 every login that will be used in the Security tab of the Linked Server Properties page.
    I made a post about this:
    http://thelonelydba.wordpress.com/2013/04/17/sql-and-linked-servers-the-schema-lock-permission-was-denied-on-the-object/

  • The SELECT permissions was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'.(Microsoft SQL Server, Error:229

    I have a SQL Server connected intro a Windows Server 2003 Domain Active Directory, the server holds a default instance with a single Database, the SQL Server is 2005 Std Edition, and is using mix mode Authentification, then I able to create SQL Native Users
    and Invoque Windows Domain Users also.
    The Goal of this project is remove the sysadmin Server role for all the Windows Domain Users, to give then a more granular secure model but at the moment is this only way to connect at the Data Base Server.
    I already create Native SQL Servers users without any problem!, they respect Securable Setting, Server Roles, User Mapping, everything...Just when I create a Login Profile form a Domain Users and apply the same setting, I get this error...
    The SELECT permissions was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'.(Microsoft SQL Server, Error:229)
    But if the user have sysadmin Server Rol he can sing over the server without any issue, I review the .sys view extended_properties and "Public" is the only Database Role placed.
    Any Idea if I need change any Setting in the Secure in SQL Master DataBase? or which is the issue witjh this matter?
    Thank in advance for your help!

    Since there are so many possibilities for what might be wrong.  Here's another possibility to look at.  I ran into something where I had set up my own roles on a database.  (For instance, "Administrator", "Manager", "DataEntry",
    "Customer", each with their own kinds of limitations)  The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted). 
    Also, the users that were being added were Windows Domain users--using their domain credentials.  (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access
    to change it.)
    Anyway, this working system suddenly stopped working and I was getting error messages similar to the above.  What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions
    to all of the roles that I had created.  I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
    So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
    Roles\public".  Right-click on "public" and select "Properties".  In the "Database Role Properties - public" dialog, select the "Securables" page.  Go through the list and for each element in the
    list, come up with an SQL "Grant" statement to grant exactly that permission to another role.  So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege. 
    So, I added the following line:   
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
    Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table.  This explicitly granted all the permissions of the "public" role to
    my database roles.  At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
    I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method. 
    In case it helps someone else, here's my code.
    CREATE PROCEDURE [dbo].[GrantAccess]
    AS
    DECLARE @AppRoleName AS sysname
    DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
    SELECT AppRoleName FROM [dbo].[RoleList];
    OPEN AppRoleCursor
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    WHILE @@FETCH_STATUS = 0
    BEGIN
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    END
    CLOSE AppRoleCursor
    RETURN 0
    GO
    Once that is in the system, I just needed to "Exec GrantAccess" to make it work.  (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
    So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them?  Was this part of an update to SQL Server 2008 R2?  Was it because I ran another script to delete each user and add them back
    so to refresh their connection with the domain?  Well, this solves the issue for now.
    One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here.  It's always possible something is different about your system.
    Hope this helps someone else.

Maybe you are looking for

  • Ichat from laptop to desktop

    I wish to ichat with my family when out of town from my macbook to my home desktop mac. is thgis possible on 1 account and or do I need to have two accounts,Currently i have 1 mac account with 1 email

  • Pages to PDFA/1a

    Do you have an idea, how to convert a .pages-file into PDFA/1a? It might even help, if you known how to embed fonts into Postscripts. Hat jemand eine Idee, wie man Pages-Dokumente im PDFA/1a speichern kann? Es würde vielleicht schon helfen, wenn man

  • HT1338 how do i reduce pixels in iphoto

    Wanting to make a photo into a avatar but size is to big how do i reduce photo?

  • NEW COMPUTER USING WINDOWS 7 WILL NOT WAKE UP FROM SLEEP MODE. I HAVE TO MANUALLY TURN IT OFF AND BACK ON.

    New laptop with Windows 7 does not wake up from SLEEP MODE.  I have moved the computer, moved the cursor, pushed every key on the keyboard, moved the space bar but nothing wakes it up.  I always have to manually turn the computer off and then turn it

  • Problems in configuring deployment descriptors to use EJB in JSP

              Hello,           I've been trying to use an EJB in a JSP on Weblogic 8.1. The relevent part of           my web.xml and weblogic.xml look like this:           =====================================           web.xml -           <ejb-ref>