|
Home > Archive > MS SQL Server DTS > October 2005 > Stop Developers from creating DTS Packages
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Stop Developers from creating DTS Packages
|
|
| John Barr 2005-10-27, 7:57 am |
| Does anyone know how to stop a developer from creating a DTS package and/or a
SQL Server Agent Job?
| |
| Darren Green 2005-10-27, 7:57 am |
| John Barr wrote:
> Does anyone know how to stop a developer from creating a DTS package and/or a
> SQL Server Agent Job?
You cannot stop a developer from creating a package. DTS is after all a
client side tool. Can you stop me creating a Word document? No, but you
can stop me from saving it in your folder. In a similar manner, by
removing guest access to msdb, you can stop them saving packages in your
SQL Server meta-data repository and local package store. This will also
deny them ability to create jobs. Jobs would never run under the high
security context of the service anyway. Jobs that use CmdExec steps
(which is the normal way to call DTSRUN) can also be refused from
non-sysadmins, see the SQL Agent properties.
The resources they may use in a DTS package should already be secured.
Don't give access to data, files or databases for example.
--
Darren Green
http://www.sqldts.com
http://www.sqlis.com
| |
| John Barr 2005-10-27, 7:57 am |
| This is in a development and production environments. I do not want to stop
all package creation and all job creation, only stop it for specific people.
So I would have to add specific people to msdb after removing the guest
account? Is there a Microsoft Article on this?
"Darren Green" wrote:
> John Barr wrote:
>
> You cannot stop a developer from creating a package. DTS is after all a
> client side tool. Can you stop me creating a Word document? No, but you
> can stop me from saving it in your folder. In a similar manner, by
> removing guest access to msdb, you can stop them saving packages in your
> SQL Server meta-data repository and local package store. This will also
> deny them ability to create jobs. Jobs would never run under the high
> security context of the service anyway. Jobs that use CmdExec steps
> (which is the normal way to call DTSRUN) can also be refused from
> non-sysadmins, see the SQL Agent properties.
>
> The resources they may use in a DTS package should already be secured.
> Don't give access to data, files or databases for example.
>
> --
> Darren Green
> http://www.sqldts.com
> http://www.sqlis.com
>
| |
| Darren Green 2005-10-27, 7:57 am |
| John Barr wrote:
> This is in a development and production environments. I do not want to stop
> all package creation and all job creation, only stop it for specific people.
> So I would have to add specific people to msdb after removing the guest
> account?
Yes.
For more detailed control, look at the DTS procedures, those with DTS in
the name in msdb. You can grant execute permissions on these
specifically, or even edit them to add your own custom security controls
and avoid some of the security issues with owners and sysadmins as well.
Is there a Microsoft Article on this?
Not that I know of, but then I've never really looked.
Darren
--
Darren Green
http://www.sqldts.com
http://www.sqlis.com
|
|
|
|
|