Događaj
Sertifikujte se u Microsoft Fabric-u - besplatno!
19. nov 23 - 10. dec 23
Za ograničeno vreme, Microsoft Fabric Communiti tim nudi besplatne DP-600 vaučere za ispit.
Pripremite se sadaOvaj pregledač više nije podržan.
Nadogradite na Microsoft Edge biste iskoristili najnovije funkcije, bezbednosne ispravke i tehničku podršku.
Applies to: SQL Server
This article lists the server and database roles and mappings that the installation of Azure extension for SQL Server creates.
When you install Azure extension for SQL Server, the installation:
Creates a server level role: SQLArcExtensionServerRole
Creates a database level role: SQLArcExtensionUserRole
Adds NT AUTHORITY\SYSTEM* account to each role
Maps NT AUTHORITY\SYSTEM* at the database level for each database
Grants minimum permissions for the enabled features
*Alternatively, you can configure SQL Server enabled by Azure Arc to run in least privilege mode (available in preview). For details, review Operate SQL Server enabled by Azure Arc with least privilege (preview).
In addition, Azure extension for SQL Server revokes permissions for these roles when they're no longer needed for specific features.
SqlServerExtensionPermissionProvider
is a Windows task. It grants or revokes privileges in SQL Server when it detects:
Napomena
Prior to the July, 2024 release, SqlServerExtensionPermissionProvider
is a scheduled task. It runs hourly.
For details, review Configure Windows service accounts and permissions for Azure extension for SQL Server.
If you uninstall Azure extension for SQL Server, the server and database level roles are removed.
Feature | Permission | Level | Role |
---|---|---|---|
Default | VIEW SERVER STATE | Server Level | SQLArcExtensionServerRole |
CONNECT SQL | Server Level | SQLArcExtensionServerRole | |
VIEW ANY DEFINITION | Server Level | SQLArcExtensionServerRole | |
VIEW ANY DATABASE | Server Level | SQLArcExtensionServerRole | |
CONNECT ANY DATABASE | Server Level | SQLArcExtensionServerRole | |
SELECT dbo.sysjobactivity | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysjobs | msdb | SQLArcExtensionUserRole | |
SELECT dbo.syssessions | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysjobHistory | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysjobSteps | msdb | SQLArcExtensionUserRole | |
SELECT dbo.syscategories | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysoperators | msdb | SQLArcExtensionUserRole | |
SELECT dbo.suspectpages | msdb | SQLArcExtensionUserRole | |
SELECT dbo.backupset | msdb | SQLArcExtensionUserRole | |
SELECT dbo.backupmediaset | msdb | SQLArcExtensionUserRole | |
SELECT dbo.backupmediafamily | msdb | SQLArcExtensionUserRole | |
SELECT dbo.backupfile | msdb | SQLArcExtensionUserRole | |
Backup | CREATE ANY DATABASE | Server Level | SQLArcExtensionServerRole |
db_backupoperator role | All databases | SQLArcExtensionUserRole | |
dbcreator | Server Level | SQLArcExtensionServerRole | |
Azure Control Plane | CREATE TABLE | msdb | SQLArcExtensionUserRole |
ALTER ANY SCHEMA | msdb | SQLArcExtensionUserRole | |
CREATE TYPE | msdb | SQLArcExtensionUserRole | |
EXECUTE | msdb | SQLArcExtensionUserRole | |
db_datawriter role | msdb | SQLArcExtensionUserRole | |
db_datareader role | msdb | SQLArcExtensionUserRole | |
Availability Group Discovery | VIEW ANY DEFINITION | Server Level | SQLArcExtensionServerRole |
Purview | SELECT | All databases | SQLArcExtensionUserRole |
EXECUTE | All databases | SQLArcExtensionUserRole | |
Migration Assessment | EXECUTE dbo.agent_datetime | msdb | SQLArcExtensionUserRole |
SELECT dbo.sysjobs | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysmail_account | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysmail_profile | msdb | SQLArcExtensionUserRole | |
SELECT dbo.sysmail_profileaccount | msdb | SQLArcExtensionUserRole | |
SELECT dbo.syssubsystems | msdb | SQLArcExtensionUserRole | |
SELECT sys.sql_expression_dependencies | All databases | SQLArcExtensionUserRole |
To run Azure extension for SQL Server with least privilege, follow the instructions at Operate SQL Server enabled by Azure Arc with least privilege.
At this time, the least privilege configuration is not the default.
Događaj
Sertifikujte se u Microsoft Fabric-u - besplatno!
19. nov 23 - 10. dec 23
Za ograničeno vreme, Microsoft Fabric Communiti tim nudi besplatne DP-600 vaučere za ispit.
Pripremite se sada