Grant access to DMV's without giving VIEW SERVER STATE permission

Question

Grant access to DMV's without giving VIEW SERVER STATE permission

Kranthi DBA 221

Hi All,

We have received a requirement to grant customers access to the DMV.

Is there a secure way to give access to DMV without granting the VIEW SERVER STATE permission?

I really appreciate any help you can provide.

Seeya Xi-MSFT 16,586 Reputation points

2022-12-19T03:35:24.267+00:00

Hi @Kranthi DBA ,

We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Best regards,
Seeya

2 answers

Your answer

Seeya Xi-MSFT 16,586 Reputation points

2022-12-19T03:35:24.267+00:00

Hi @Kranthi DBA ,

We have not received a response from you. Did the reply could help you? If the response helped, do "Accept Answer". If it doesn't work, please let us know the progress. By doing so, it will benefit all community members who are having this similar issue. Your contribution is highly appreciated.

Best regards,
Seeya

Answer 1

As Dan says, this is possible. You wrap the query you want to the user to be able to run in a stored procedure, which you for simplicity you can place in the master database.

Then you apply this recipe:

Create a certificate.
Sign the procedure with the certificate.
Create a login from that certificate.
Grant that login VIEW SERVER STATE.

The login is not a normal login, but a special type which exists only to connect certificate and permission. It is not possible to log in with this login.

I describe this technique in a lot more detail in my article: https://www.sommarskog.se/grantperm.html. And, yes, that is a bit to read, although you only need to read first five chapters. But it's time well-spent, because it is a very tool to have at hand.

Answer 2

Ronen Ariely 15,206

Hi,

From the documentation:

https://learn.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/system-dynamic-management-views?view=sql-server-ver16&WT.mc_id=DP-MVP-5001699

There are two types of dynamic management views and functions:
Server-scoped dynamic management views and functions. These require VIEW SERVER STATE permission on the server.
Database-scoped dynamic management views and functions. These require VIEW DATABASE STATE permission on the database.

The answer to your question depend on the type of DMV you want to give permission to.

If you will try to GRAND permission on Server-scoped DMV (for example try sys.dm_os_wait_stats) to a USER in a database, then you will; get the error: "Permissions on server scoped catalog views or system stored procedures or extended stored procedures can be granted only when the current database is master."

Kranthi DBA 221 Reputation points

2022-12-13T13:42:39.823+00:00

Hi,

Thank you for the reply!
The requirement is to grant access to the server-level DMVs without giving View server state permission.
Dan Guzman 9,406 Reputation points

2022-12-13T16:01:07.833+00:00

The most secure way to wrap the DMV query in a proc and sign it with a certificate based on a login with the needed permissions. See Erland's article.
Ronen Ariely 15,206 Reputation points

2022-12-16T09:16:55.967+00:00

Hi,

Thank you for the reply!

You are most welcome :-)

The requirement is to grant access to the server-level DMVs without giving View server state permission.

You cannot directly solve the math calculation of "1+1" without using "+", but there are (almost) always indirect ways to get your real needs (Check what XY problem is). For example in the above math you might be able to use "-" to indirectly get the result "1-(-1)".

In your case, other people already suggest solutions already. Check if this solve your need or inform us if you need anything more.

Share via

Grant access to DMV's without giving VIEW SERVER STATE permission

2 answers

Your answer