SSISDB 上的管理权限
如果使用 SSIS 选项创建或修改实例,则结果是一个 SSISDB 数据库,其中包含向主用户授予的 ssis_admin 和 ssis_logreader 角色。在 SSISDB 中,主用户有权执行以下操作:
-
更改 ssis_admin 角色
-
更改 ssis_logreader 角色
-
更改任何用户
由于主用户是经 SQL 身份验证的用户,因此,您不能使用主用户执行 SSIS 程序包。主用户可以使用这些权限创建新的 SSISDB 用户并将这些用户添加到 ssis_admin 和 ssis_logreader 角色。这样做对于向域用户授予访问权限以使用 SSIS 非常有用。
为 SSIS 设置经 Windows 身份验证的用户
主用户可以使用以下代码示例在 SSISDB 中设置经 Windows 身份验证的登录并授予所需的过程权限。执行此操作可向域用户授予权限以部署和运行 SSIS 程序包、使用 S3 文件传输过程、创建凭证以及使用 SQL Server Agent 代理。有关更多信息,请参阅 Microsoft 文档中的凭证(数据库引擎)
注意
您可以根据需要向经 Windows 身份验证的用户授予以下部分或所有权限。
-- Create a server-level SQL login for the domain user, if it doesn't already exist USE [master] GO CREATE LOGIN [
mydomain
\user_name
] FROM WINDOWS GO -- Create a database-level account for the domain user, if it doesn't already exist USE [SSISDB] GO CREATE USER [mydomain
\user_name
] FOR LOGIN [mydomain
\user_name
] -- Add SSIS role membership to the domain user ALTER ROLE [ssis_admin] ADD MEMBER [mydomain
\user_name
] ALTER ROLE [ssis_logreader] ADD MEMBER [mydomain
\user_name
] GO -- Add MSDB role membership to the domain user USE [msdb] GO CREATE USER [mydomain
\user_name
] FOR LOGIN [mydomain
\user_name
] -- Grant MSDB stored procedure privileges to the domain user GRANT EXEC ON msdb.dbo.rds_msbi_task TO [mydomain
\user_name
] with grant option GRANT SELECT ON msdb.dbo.rds_fn_task_status TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_task_status TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_cancel_task TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_download_from_s3 TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_upload_to_s3 TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_delete_from_filesystem TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_gather_file_details TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_add_proxy TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_update_proxy TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_grant_login_to_proxy TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_revoke_login_from_proxy TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_delete_proxy TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_enum_login_for_proxy to [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.sp_enum_proxy_for_subsystem TO [mydomain
\user_name
] with grant option GRANT EXEC ON msdb.dbo.rds_sqlagent_proxy TO [mydomain
\user_name
] WITH GRANT OPTION -- Add the SQLAgentUserRole privilege to the domain user USE [msdb] GO ALTER ROLE [SQLAgentUserRole] ADD MEMBER [mydomain
\user_name
] GO -- Grant the ALTER ANY CREDENTIAL privilege to the domain user USE [master] GO GRANT ALTER ANY CREDENTIAL TO [mydomain
\user_name
] GO