{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 兄弟一词,经得起流年. 的问题《Integration Services Catalog folder permissions ch》','https://www.manongdao.com/q-840974.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Question: Do any of the SQL Server systems tables in either SSISDB or MSDB contain information that would allow me to discover which users are making changes to folder permissions in the Integration Services Catalog?
Background: I saw that a SQL Agent Job was failing with the following error description:
Cannot access the package or the package does not exist. Verify that the package exists and that the user has permissions to it.
Upon researching the issue, I found that the service account's permissions to the folder that contains the relevant packages has been removed. I would like to perform a diagnostic to see who removed the permissions and when.
Additionally, configuration management by our IT Operations Group has been a challenge as the SQL Servers have not been kept in-line across environments (i.e., development, test, stage, and production) with respect to at least the following:
- Patch Management
- Memory Management
- Permissions Management
Research: I have checked the Sysssispackages table in MSDB but that does not appear helpful and the tables in SSISDB all appear to be integer based. My background is in database development and less so in database management. Any help is appreciated.
The changes to permissions are not audited for the SSISDB.
When you're using the UI to grant/deny permissions for a folder/project, that is translated to a call to
catalog.grant_permission/catalog.deny_permissionsThose check whether you're in an admin role (server or database) and if so, then call theinternal.update_permissionwith a value of 0/1 for grant vs deny.I tested this versus 2014 but I would be surprised if it's any different in 2016/2017/2019
SQL Server itself keep track of permission changes via the system trace. Assuming the change was recent, you can try a query like this
Event class breakout is at https://www.databasejournal.com/features/mssql/a-few-cool-things-you-can-identify-using-the-default-trace.html
I don't think that SSISDB either MSDB contains informations about permissions changes auditing. If think this should be done on the SQL Server database engine. You should have an auditing process that monitor all changes on the SQL Server Instance.
You can refer to the following links to read more on how you can track or audit permissions changes:
To check out what are the tables and informations stored inside MSDB and SSISDB check the following links: