EXECUTE permission denied on object 'xp_sqlagent_notify', database 'mssqlsystemresource', schema 'sys'.
I'm trying to create a new subscriptions on an existing report and get the following error.
An internal error occurred on the report server. See the error log for more details. (rsInternalError) Get Online Help
Get Online Help
EXECUTE permission denied on object 'xp_sqlagent_notify', database 'mssqlsystemresource', schema 'sys'.
I ran the following that was suggested in http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=17774&SiteID=1. But still I get the same error. Do I need a reboot or restart of the services?
The only log file information I can find contains the following.
System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: An internal error occurred on the report server. See the error log for more details. ---> Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details. ---> System.Data.SqlClient.SqlException: EXECUTE permission denied on object 'xp_sqlagent_notify', database 'mssqlsystemresource', schema 'sys'.
--- End of inner exception stack trace ---
at Microsoft.ReportingServices.WebServer.ReportingService2005.ListSchedules(Schedule[]& Schedules)
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.SqlServer.ReportingServices2005.ReportingService2005.ListSchedules()
at Microsoft.SqlServer.ReportingServices2005.RSConnection.ListSchedules()
at Microsoft.ReportingServices.UI.SharedScheduleDropDown.EnsureSchedulesAreLoaded()
at Microsoft.ReportingServices.UI.SharedScheduleDropDown.SharedScheduleDropDown_Load(Object sender, EventArgs e)
at System.Web.UI.Control.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
aspnet_wp!ui!1!17/10/2006-08:44:26:: e ERROR: Exception in ShowErrorPage: System.Threading.ThreadAbortException: Thread was being aborted.
at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.End()
at System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm)
at Microsoft.ReportingServices.UI.ReportingPage.ShowErrorPage(String errMsg) at at System.Threading.Thread.AbortInternal()
at System.Threading.Thread.Abort(Object stateInfo)
at System.Web.HttpResponse.End()
at System.Web.HttpServerUtility.Transfer(String path, Boolean preserveForm)
at Microsoft.ReportingServices.UI.ReportingPage.ShowErrorPage(String errMsg)
aspnet_wp!extensionfactory!e!17/10/2006-09:35:13:: w WARN: The extension Report Server Email does not have a LocalizedNameAttribute.
aspnet_wp!extensionfactory!e!17/10/2006-09:35:13:: w WARN: The extension Report Server FileShare does not have a LocalizedNameAttribute.
aspnet_wp!ui!e!17/10/2006-09:35:13:: e ERROR: System.Web.Services.Protocols.SoapException: An internal error occurred on the report server. See the error log for more details. ---> Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details. ---> System.Data.SqlClient.SqlException: EXECUTE permission denied on object 'xp_sqlagent_notify', database 'mssqlsystemresource', schema 'sys'.
--- End of inner exception stack trace ---
at Microsoft.ReportingServices.WebServer.ReportingService2005.ListSchedules(Schedule[]& Schedules)
aspnet_wp!ui!e!17/10/2006-09:35:13:: e ERROR: HTTP status code --> 200
I cannot find any other error log.
Can anybody help?
Tuesday, October 17, 2006 8:49 AM
Reply
|
Quote
All replies
0
Sign in to vote
Sorry for the late reply. Try this: http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=662319&SiteID=1
Thursday, November 16, 2006 2:51 AM
Reply
|
Quote
Answerer
0
Sign in to vote
GRANT EXECUTE ON master.dbo.xp_sqlagent_notify TO RSExecRole
GO
solved my problem.
Proposed as answer by
Christopher D. Stover
Monday, September 16, 2013 6:52 PM
Monday, September 16, 2013 6:51 PM
Reply
|
Quote
0
Sign in to vote
Tried that but no joy. Found this post on SQLServerCentral, solved our issue which mimic's the posters issue. Just adding here as this is the first result in our search.
Look for Topic452669-150-1
There are a number of places I found with the information in the following
link:
http://phew-meme.blogspot.com/2007/10/reporting-service-on-report.html
In
my specific case, the RsExecRole role in both the "master" and "msdb" databases
had had both the "NT Authority\Network Service" and "NTAuthority\System" logins
removed from its members (the RSExecRole had had all its members removed by
someone doing some maintenance). I compared another Reporting Services
installation on another server after reading information in the above
link.
Steps:
1. In Mangement Studio connect to the SQL Server instance
on which Reporting Services runs.
2. Databases > system Databases
3.
master > Security > Roles > RSExecRole (then add whatever logins are
required... check in the ReportServer or ReportServerTempDB databases if you're
not sure)
4. msdb > Security > Roles > RSExecRole (add the same
logins you did to the master DB)
In the end you need the same logins in
RSExecRole role for the master, msdb, ReportServer, and ReportServerTempDB
databases. ("ReportServer" is the default Reporting Services database name, in
case that's not clear ;)
Monday, March 31, 2014 1:24 PM
Reply
|
Quote
if (!$.Microsoft) $.Microsoft = {};
if (!$.Microsoft.Mtps) $.Microsoft.Mtps = {};
if (!$.Microsoft.Mtps.NetReflectorInit)
$.Microsoft.Mtps.NetReflectorInit = {
surveyUrl: 'http://support.microsoft.com/common/survey.aspx?scid=sw%3ben%3b3763&altstyle=narrow&renderoption=overridedefault&theme=tech&url=http://social.technet.microsoft.com/Forums/en-US/3fcc7b54-ce84-48c2-9004-baaac07f2515/execute-permission-denied-on-object-xpsqlagentnotify-database-mssqlsystemresource-schema?forum=sqlreportingservices&P0=055ccfc1-78f5-46ff-8171-33f8ff760a7c',
throttleRate: "5.00",
privacyStatementText: "Privacy statement",
trackerWindowText: "Please do not close this window.Thank you! The survey will appear here when you've completed your visit, so please do not close this window.",
logoUrl: 'https://www.microsoft.com/library/svy/sto/technet_logo.gif',
closeButtonUrl: 'https://www.microsoft.com/library/svy/sto/technet-close.gif',
topBarUrl: 'https://www.microsoft.com/library/svy/sto/top-stripe.gif',
bottomBarUrl: 'https://www.microsoft.com/library/svy/sto/bottom-stripe.gif',
blankPage: 'https://social.technet.microsoft.com/forums/blank.htm',
showSurveyToComscoreUser: 'no'
setTimeout("Forums.loadScript('https://i1.social.s-msft.com/Forums/resources/NetReflector/NetReflector.js?cver=0%0d%0a')", 1000);
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.
Would you like to participate?
Privacy statement
© 2015 Microsoft. All rights reserved.
Newsletter|Contact Us|Privacy Statement|Terms of Use|Trademarks|Site Feedback
TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Internet Explorer
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Lync
See all products »
Resources
Curah! curation service
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Subscriptions
TechNet Video
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Microsoft Update
Trials
Windows Server 2012 R2
System Center 2012 R2
Microsoft SQL Server 2012 SP1
Windows 8.1 Enterprise
See all trials »
Related Sites
Microsoft Download Center
TechNet Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
e-Learning overview
Certifications
Certification overview
MCSA: Windows 8
Windows Server Certification (MCSE)
Private Cloud Certification (MCSE)
SQL Server Certification (MCSE)
Other resources
TechNet Events
Second shot for certification
Born To Learn blog
Find technical communities in your area
Support options
For small and midsize businesses
For enterprises
For developers
For IT professionals
From partners
For technical support
Support offerings
For home users
More support
Microsoft Premier Online
Microsoft Fix It Center
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
International support solutions
Log a support ticket
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
var railItems = ["/Forums/en-US/rightrailannouncement/Technet/1794d07f-9d4e-4dc0-8c1c-8bfe9d5e0bce"];
var pageData = {"validUser":false,"autoSubscribe":false};
var userEmailConfigured = false;
$(document).ready(function () {
Forums.ThreadPage.wirePageElements('Search forum questions');
Tried that but no joy. Found this post on SQLServerCentral, solved our issue which mimic's the posters issue. Just adding here as this is the first result in our search.
Look for Topic452669-150-1
There are a number of places I found with the information in the following
link:
http://phew-meme.blogspot.com/2007/10/reporting-service-on-report.html
In
my specific case, the RsExecRole role in both the "master" and "msdb" databases
had had both the "NT Authority\Network Service" and "NTAuthority\System" logins
removed from its members (the RSExecRole had had all its members removed by
someone doing some maintenance). I compared another Reporting Services
installation on another server after reading information in the above
link.
Steps:
1. In Mangement Studio connect to the SQL Server instance
on which Reporting Services runs.
2. Databases > system Databases
3.
master > Security > Roles > RSExecRole (then add whatever logins are
required... check in the ReportServer or ReportServerTempDB databases if you're
not sure)
4. msdb > Security > Roles > RSExecRole (add the same
logins you did to the master DB)
In the end you need the same logins in
RSExecRole role for the master, msdb, ReportServer, and ReportServerTempDB
databases. ("ReportServer" is the default Reporting Services database name, in
case that's not clear ;)
Similar Messages
-
I have created a user and given him the owner rights for the database. Though I can LogIn as the user, I cannot access the databases. I am having the error mesage:
Failed to retrieve data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)
For help, click:
http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&LinkId=20476
ADDITIONAL INFORMATION:
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
The SELECT permission was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
For help, click:
http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=10.50.1600&EvtSrc=MSSQLServer&EvtID=229&LinkId=20476
Sha_woopSince there are so many possibilities for what might be wrong. Here's another possibility to look at. I ran into something where I had set up my own roles on a database. (For instance, "Administrator", "Manager", "DataEntry", "Customer",
each with their own kinds of limitations) The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted). Also, the users that
were being added were Windows Domain users--using their domain credentials. (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access to change it.)
Anyway, this working system suddenly stopped working and I was getting error messages similar to the above. What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions to
all of the roles that I had created. I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
Roles\public". Right-click on "public" and select "Properties". In the "Database Role Properties - public" dialog, select the "Securables" page. Go through the list and for each element in the list, come up with an SQL "Grant" statement to
grant exactly that permission to another role. So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege. So, I added the following line:
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table. This explicitly granted all the permissions of the "public" role to my database roles.
At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method.
In case it helps someone else, here's my code.
CREATE PROCEDURE [dbo].[GrantAccess]
AS
DECLARE @AppRoleName AS sysname
DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
SELECT AppRoleName FROM [dbo].[RoleList];
OPEN AppRoleCursor
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
WHILE @@FETCH_STATUS = 0
BEGIN
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
END
CLOSE AppRoleCursor
RETURN 0
GO
Once that is in the system, I just needed to "Exec GrantAccess" to make it work. (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them? Was this part of an update to SQL Server 2008 R2? Was it because I ran another script to delete each user and add them back so to refresh
their connection with the domain? Well, this solves the issue for now.
One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here. It's always possible something is different about your system.
Hope this helps someone else. -
I have a SQL Server connected intro a Windows Server 2003 Domain Active Directory, the server holds a default instance with a single Database, the SQL Server is 2005 Std Edition, and is using mix mode Authentification, then I able to create SQL Native Users
and Invoque Windows Domain Users also.
The Goal of this project is remove the sysadmin Server role for all the Windows Domain Users, to give then a more granular secure model but at the moment is this only way to connect at the Data Base Server.
I already create Native SQL Servers users without any problem!, they respect Securable Setting, Server Roles, User Mapping, everything...Just when I create a Login Profile form a Domain Users and apply the same setting, I get this error...
The SELECT permissions was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'.(Microsoft SQL Server, Error:229)
But if the user have sysadmin Server Rol he can sing over the server without any issue, I review the .sys view extended_properties and "Public" is the only Database Role placed.
Any Idea if I need change any Setting in the Secure in SQL Master DataBase? or which is the issue witjh this matter?
Thank in advance for your help!Since there are so many possibilities for what might be wrong. Here's another possibility to look at. I ran into something where I had set up my own roles on a database. (For instance, "Administrator", "Manager", "DataEntry",
"Customer", each with their own kinds of limitations) The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted).
Also, the users that were being added were Windows Domain users--using their domain credentials. (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access
to change it.)
Anyway, this working system suddenly stopped working and I was getting error messages similar to the above. What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions
to all of the roles that I had created. I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
Roles\public". Right-click on "public" and select "Properties". In the "Database Role Properties - public" dialog, select the "Securables" page. Go through the list and for each element in the
list, come up with an SQL "Grant" statement to grant exactly that permission to another role. So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege.
So, I added the following line:
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table. This explicitly granted all the permissions of the "public" role to
my database roles. At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method.
In case it helps someone else, here's my code.
CREATE PROCEDURE [dbo].[GrantAccess]
AS
DECLARE @AppRoleName AS sysname
DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
SELECT AppRoleName FROM [dbo].[RoleList];
OPEN AppRoleCursor
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
WHILE @@FETCH_STATUS = 0
BEGIN
EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
END
CLOSE AppRoleCursor
RETURN 0
GO
Once that is in the system, I just needed to "Exec GrantAccess" to make it work. (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them? Was this part of an update to SQL Server 2008 R2? Was it because I ran another script to delete each user and add them back
so to refresh their connection with the domain? Well, this solves the issue for now.
One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here. It's always possible something is different about your system.
Hope this helps someone else. -
Permission denied on object 'PSOPRDEFN' database 'FSCM' schema 'dbo'
Hi,
I get the following error when i try to login in 2 tier thru App Designer.
SELECT permission denied on object 'PSOPRDEFN' database 'FSCM' schema 'dbo'...Just to give a little background...Since i was installing PS FSCM 9 on my new machiine, I did not create a new DB, as I had the mdf and ldf files from my earlier machine. All i did was to add the DB thru SQL Server management studio. I have executed the grant and connect.sql. Both have executed successfully. But I am still unable to login. I also tried altering the authorization on my DB, but that did not work either
Thank YouHi Nicolas,
I was installing PS FSCM9 on my new personal machine. Since I had my "MDF" and "LDF" files for FSCM 9 DB (from my previous machine), I did not create a new DB for my new Install of PeopleTools. I simply copied the DB files to my new machine.
I can login into the DB using sa/sa1. But when I try logging in using App Designer in 2 Tier, it pops up the error mentioned. I ran the Grant/connect sql's again, but that did not help. i did run alter authorization script for the 3 tables PSACCESSPRFL, PSSTATUS and PSOPRDEFN, and granted them access to people, but that did not work out.
Thank you -
EXECUTE permission denied on object 'xp_sqlagent_enum_jobs'
Hello. I am running SQL 2005 SP2 (9.0.3282) on a Windows 2003 SP2 Enterprise server. I have three users that I have assigned the three SQL Server Agent roles within the msdb system database so that they may manage jobs that they own. Recently they started seeing this error:
The EXECUTE permission was denied on the object 'xp_sqlagent_enum_jobs', dartabase 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
I have other servers that have SQL server configured the same where we are not seeing the errors.
Any assistance would be greatly appreciated.
Thanks.
Kris
After you move the msdb database, you may receive the following error message:
Error 229: EXECUTE permission denied on object 'ObjectName', database 'master', owner 'dbo'.
This problem occurs because the ownership chain has been broken. The database owners for the msdb database and for the master database are not the same. In this case, the ownership of the msdb database had been changed. To work around this problem, run the following Transact-SQL statements. You can do this by using the Osql.exe command-line utility (SQL Server 7.0 and SQL Server 2000) or the Sqlcmd.exe command-line utility (SQL Server 2005):
USE MSDB Go EXEC sp_changedbowner 'sa' Go
http://support.microsoft.com/kb/224071
INF: Object Ownership Chain Checking Across Databases Depends on the Login That Is Mapped to the Object Owners| Sankar Reddy | http://sankarreddy.spaces.live.com/ | -
hi
Im getting the following error when querying a database :
<b>
Error when executing statement for table/stored proc. 'procedure name' (structure 'Select'): java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]EXECUTE permission denied on object 'procedure name ', database '<database name>', owner 'owner name'</b>
Is it because the user use to access in the comunication channel does not have rights on the given databse / table or something else as well ??
please suggest
sdHi,
yes right.
the user which you use in the JDBC Adapter isn't allowed to execute the stored procedure.
Regards,
Robin -
I have created a PowerShell script that automates enabling users for Lync and setting policies based on group membership. I've successfully tested this script under my domain admin account and now I am working on getting it running as a scheduled task.
Since all the script really does related to Lync is run the commands Enable-CsUser, Set-CsUser, and Grant-Cs<policy name>Policy, I elected to create a service account that only has Lync user administration permissions. Initially, this user account
was just a member of CSUserAdministration but this was not working so I added the user to RTCUniversalUserAdmins based on some other information I found.
This change got me by the various access denied errors I was getting in the script, but now I am getting the following error when I run the Enable-CsUser part:
Enable-CsUser : The EXECUTE permission was denied on the object 'XdsPublishItems', database 'xds', schema 'dbo'.
At line:1 char:1
+ Enable-CsUser -Identity <redacted> -RegistrarPool <redacted> - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Enable-CsUser], SqlException
+ FullyQualifiedErrorId : System.Data.SqlClient.SqlException,Microsoft.Rtc.Management.AD.Cmdlets.EnableOcsUserCmdl
et
This seems to be some sort of permission error related to the permissions on the SQL database "xds". I checked, and RTCUniversalUserAdmins is a member of both CsUserAdministration and RTCUniversalReadOnlyAdmins. This latter group does
have permissions on the xds database. It appears to be granted the "public" role on the database server. The User Mapping shows the following users mapped to the login:
cpsdyn: public,ReadOnlyRole
lis: public,ReadOnlyRole
rgsconfig: public,ReadOnlyRole
rgsdyn: public,ReadOnlyRole
rtcxds: public,ConsumerRole
xds: public,ConsumerRole
Even though I receive this error, the user is actually added to Lync. Follow-up Set-CsUser and Grant-Cs<policy name>Policy cmdlets succeed just fine.
What do I need to do to fix this error message?The issue is not related to UAC / Run As Administrator / Run With Highest Privileges. I have verified that accounts granted only the CS User Administrator role simply do not have access to the XdsPublishItems stored procedure in the Lync xds database,
even if they are members of RTCUniversalUserAdmins.
Also, it does not have anything to do with my script. Even if I grant my service account that local Administrator rights on the Lync front-end server, log into the server with that account, and run the Lync Server Management Shell as administrator
and then do just the Enable-CsUser cmdlet (not my whole script), I get the same error.
I ended up opening a Microsoft support case (#114040311332658) and it has been going on for weeks now. Eventually they just told me that I needed to either have my script establish a remote PowerShell session to Lync or install the Lync management
tools on another server and have the script call the Lync Server Management Shell from that server. They say this because the Planning for Role-Based Access Control documentation (http://technet.microsoft.com/en-us/library/gg425917.aspx)
has the following tip:
"RBAC restrictions work only on administrators working remotely, using either the Lync Server Control Panel or Lync Server Management Shell. A user sitting at a server running Lync Server is not restricted by RBAC. Therefore, physical security of your
Lync Server is important to preserve RBAC restrictions."
I did attempt to run a PowerShell instance on my workstation as the service account, establish a remote PowerShell session to the Lync front-end server, and then run Enable-CsUser and I can confirm that it does run successfully and I do not receive an error
of any kind.
I told the support personnel that the tip stating that RBAC doesn't actually restrict permissions if running PowerShell on the server itself doesn't mean that you simply cannot run PowerShell cmdlets and scripts on the server, it just means that the user
running the cmdlet or script won't have their accessible cmdlets limited to only those granted to the role assigned. I told them I want a description of what the XdsPublishItem stored procedure does at a high level so I can determine if the error can
just be simply ignored in this case. I'm still waiting for them to get back to me on that.
They did say they tested it on their end and confirm the same behavior in their test environment. They also said that it doesn't seem to have any sort of negative impact on the functionality of the enabled Lync user or the consistency of the SQL database.
That said, I don't want to just take their word for it without them knowing what XdsPublishItem does. -
I get the error message: The EXECUTE permission was denied on the object 'sp_send_dbmail', database 'msdb', schema 'dbo'. This happens when I run a job, even though the user has the correct permission on sp_send_dbmail and is a user in msdb.
If I run the procedure through SSMS it runs just fine and sends the mail.
I have run out of things to look for, any ideas on what else it could be?
Thanks in advance,
NancyTo send Database mail, users must be a user in the msdb database and a member of the
DatabaseMailUserRole database role in the msdb database. To add
msdb users or groups to this role use SQL Server Management Studio or execute the following statement for the user or role that needs to send Database Mail.
EXEC msdb.dbo.sp_addrolemember @rolename = 'DatabaseMailUserRole'
,@membername = '<user or role name>';
GO
http://technet.microsoft.com/en-us/library/ms188719(v=sql.105).aspx
Regards, RSingh -
SCOM reports not working, with execute permission denied error.
Operations manager 2012 R2,
some reports stopped working. Then i open report and click "add object" or "add group" i get error:
Note: The following information was gathered when the operation was attempted. The
information may appear cryptic but provides context for the error. The application will continue to run.
The EXECUTE permission was denied on the object 'ManagedEntityTypeGetBySystemName', database
'OperationsManagerDW', schema 'dbo'.
In SQL there is EXECUTE permission on object 'ManagedEntityTypeGetBySystemName'
Reports which not required to specify object or groups are working as expected.
what esle can be wrong ?Hi,
Please refer to the blog below. It tell us how to grant permission to objects.
http://www.ndoubleor.com/the-execute-permission-was-denied-on-the-object-database-schema-dbo/11/2009/
Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Juke Chou
TechNet Community Support -
All reports not working, with execute permission denied error.
Operations manager 2012 R2,
all reports stopped working. Then i open report and click "add object" or "add group" i get error:
Note: The following information was gathered when the operation was attempted. The information may appear cryptic but provides context for the error. The application will continue to run.
The EXECUTE permission was denied on the object 'ManagedEntityTypeGetBySystemName', database 'OperationsManagerDW', schema 'dbo'.
In SQL there is EXECUTE permission on object 'ManagedEntityTypeGetBySystemName'
what esle can be wrong ?Take a look at
this.
Jonathan Almquist | SCOMskills, LLC (http://scomskills.com) -
Execute Permission Denied on Stored Procedure for SSRS Report
I have a report in SSRS 2008R2. The report is running against a 2005 instance. This report, encapsulated as a stored procedure, runs fine in BIDS. When I deploy it to the Report Manager I suddenly get"
The EXECUTE permission was denied on the object 'ticketStatus',database 'SomeDatabase', schema 'dbo'.
I have granted the execute permission to the sql login, I'll call it 'bob', being used in the datasource. I can run the stored procedure in SSMS as that sql login. That SQL login is also assigned the db_datareader and db_denydatawriter database
level roles in the database for the query. The query makes use of a linked server to another database. I have tested that I can run the query via the linked server using the SQL login. I created a separate SSRS report and simply used the
SELECT part of my stored proc. I upload that to the Report Manager and it works fine. I can't figure out why this report will not work when it is set up to use the Stored Proc. Any help sorting this out would be appreciated.I have granted the execute permission to the sql login, I'll call it 'bob', being used in the datasource. I can run the stored procedure in SSMS as that sql login. That SQL login is also assigned the db_datareader and db_denydatawriter database
level roles in the database for the query. The query makes use of a linked server to another database. ...
You are saying you are using a linked server for a database that sits on the same server as the database where the Procedure resides? Is there any reason to do that instead of just using a 3-part name, possibly in combination with a synonym?
Linked servers have a different security concept also
Trustworthy should not be used then either as it can lead to privilege escalation/elevation attacks from inside that database
Cross Database Ownership chaining is yet another and different problem
The best woul be to have that Login as a user in both databases and have the necessary permissions like Execute on Schema/Database there. Deny should only be necvessary under the circumstances that the user is member of different groups/roles
Andreas Wolter
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master SQL Data Platform, SQL Server 2012
Blog: www.insidesql.org/blogs/andreaswolter
Web: www.andreas-wolter.com |
www.SarpedonQualityLab.com -
EXECUTE permission denied on sp_sqlagent_log_jobhistory when running a maintenance task or sql job
Hi folks,
I have a scheduled maintenance plan and associated jobs in SQL Server 2008 SP2 that have been working but stopped about two months ago. When I run a maintenance task or sql job using any account (sa, sysadmin-priveleged domain account, etc) I get the following
entries in the SQL Server Agent log (see below). I've tried changing the SQL Server Agent account, applied the latest hotfixes (CU2 for 2008 SP2) and set permissions manually so that the service accounts have dbo access to the msdb database. Anyone got other
ideas? I've avoided recreating the msdb database, but that may be my only option.
Date 4/02/2011 3:42:40 PM
Log SQL Server Agent (Current - 4/02/2011 3:23:00 PM)
Message
[298] SQLServer Error: 229, The EXECUTE permission was denied on the object 'sp_sqlagent_log_jobhistory', database 'msdb', schema 'dbo'. [SQLSTATE 42000] (ConnExecuteCachableOp)
Date 4/02/2011 3:42:40 PM
Log SQL Server Agent (Current - 4/02/2011 3:23:00 PM)
Message
[298] SQLServer Error: 229, The EXECUTE permission was denied on the object 'agent_datetime', database 'msdb', schema 'dbo'. [SQLSTATE 42000] (ConnExecuteCachableOp)
Date 4/02/2011 3:42:40 PM
Log SQL Server Agent (Current - 4/02/2011 3:23:00 PM)
Message
[298] SQLServer Error: 229, The EXECUTE permission was denied on the object 'sp_sqlagent_log_jobhistory', database 'msdb', schema 'dbo'. [SQLSTATE 42000] (ConnExecuteCachableOp)And just to add to the confusion - I created a SQL login called sql-maintjobs and have it sysadmin priveleges. I then logged in to SQL using this account on the instance that is failing and ran the following:
declare
@backupjobid uniqueidentifier
select
@backupjobid=CONVERT(uniqueidentifier,
'2C4974D4-53BE-4E38-8EC0-8F5398CADE88')
exec
sp_sqlagent_log_jobhistory
@job_id = @backupjobid,
@step_id
=1,
@sql_message_id
= 0,
@sql_severity
= 0,
@message
=
NULL,
@run_status
=1,
-- SQLAGENT_EXEC_X code
@run_date
=19900101,
@run_time
=1,
@run_duration
=1,
@operator_id_emailed
= 0,
@operator_id_netsent
= 0,
@operator_id_paged
= 0,
@retries_attempted
=0,
@server
=
NULL,
@session_id
= 0
This sql worked fine - no permission errors at all. That would suggest the account does have permission to EXECUTE that stored procedure... very confusing! -
Running following command gives,0403-006 Execute permission denied
Dear
According to metalink doc id: 422419.1 for enabling & collect debugging files for HTTP, OC4J and OPMN. But when i run this command using applmgr (apps owner) in AIX gives '0403-006 Execute permission denied'. Though applmgr have full permissions on this mount point where instance is hosted, giving this error.What is going wrong does not know?
Any help, highly appreciated.The command is
zip -r /tmp/`uname -n`_`date +%m%d%y.%H%M`_iAS_CONFIG.zip \
$ORA_CONFIG_HOME/10.1.3/Apache/Apache/conf \
$ORA_CONFIG_HOME/10.1.3/config \
$INST_TOP/pids/10.1.3/Apache \
$ORA_CONFIG_HOME/10.1.3/j2ee/ \
$ORA_CONFIG_HOME/10.1.3/javacache/admin \
$ORA_CONFIG_HOME/10.1.3/network/admin \
$ORA_CONFIG_HOME/10.1.3/opmn
When i copy & paste in telnet it was adding some spaces. Removing spaces resloved the issue. Thanking you. -
RunInstaller Execute permission denied
Hi.
I downloaded the SW of ORACLE 9.2.0 from the web. I did all the steps to uncompress these 3 files (gunzip and cpio). But when I try to execute RunInstaller I've got the following error:
./runInstaller: ./runInstaller: Execute permission denied.
But the permissions are 777 in all the directories and all the files that are inside the directories. The owner is correct (oracle:dba)
My server is HPUX-11.00
Sometime, when you mount the CD but with the wrong options you have the same problem, but this time, y download the files from the web.
¿Anybody knows who can I solve this error?Yes I have the ROOT in the server and I run the runInstaler with the oracle user and dba group but doesn't work. I run (to check the file) with root user but the same problem.
-
No execute permission on the object
I get "No execute permission on the object" exception when
trying to connect to EJB server object with:
ServerEJBHome serverEJBHome = (ServerEJBHome)
PortableRemoteObject.narrow (
site.lookup ("EJBServerApp/EJBServer"), ServerEJBHome.class);
What is the problem?
nullYakov,
Use the sess_sh shell to check/change the permissions on the
directory you published the object to (test/ by default). It may
be that the user you are running as does not have the same
privileges as the user you deployed as.
Also, you may find it helpful to use the Example EJB Client
snippet available from the New object gallery (File|New) to test
the EJB server.
Laura
Yakov Becker (guest) wrote:
: I get "No execute permission on the object" exception when
: trying to connect to EJB server object with:
: ServerEJBHome serverEJBHome = (ServerEJBHome)
: PortableRemoteObject.narrow (
: site.lookup ("EJBServerApp/EJBServer"), ServerEJBHome.class);
: What is the problem?
null
Maybe you are looking for
-
IPod Classic 80g..message 'Delayed write failed?? Will not sync to itunes!
This message appears when I try to connect to my pc... 'Delayed write failed. Windows is unable to save all the data for the file J:\ipod_control. The data has been lost. This error may be caused by a failiure of your computer hardware or network con
-
CJS-20003 Error Message when installing anything on the portal
Hi there, whenever I try to install anything on my EP6SP8, I get this nasty error message. CJS-20003 While adding instance G00: An instance already exists with that number and a different name or SID: PEP/DVEBMGS00. So far I tried to install EP6SP9,
-
Diff b/w group vs local currency (both curr same) in Inventry GL A/c
There is a difference b/w group vs local currency on trial balance (where both currencies are same) in Inventory GL account, which are supposed to match. Any Probable reasons...
-
hi, when i try to send a IDOC to XI to HTTP Receiver. The flag shows red in the SXMB_MONI and the error is HTTP Client : code 110 reason message. I am using a HTTP adapter for a HTTPS url as a receiver. If i test the xml from a WFETCH i get a respons
-
Where has the ******* updater gone?
where has the ******* update installer application gone? it is 800mb,i have to use 2 hours to down it. when it finish,no install popup,any button can be use. is so Difficult to update ios from 4 to 5.1.1