6

How to grant permission for a user to access SQL Jobs?

User does not have access to SQL Agent, SQL Jobs to run the Job.

Improve this question
3
  • Define "access" -- permission to run them, permission to check their status, permission to change them? The proper way is to make the user a member of any of the fixed roles. Commented Feb 4, 2019 at 14:40
  • there is a stored procedure which we run along with the username .. i forgot that script Commented Feb 4, 2019 at 14:40
  • Without the GUI, accessing the definition of jobs can be done through the MSDB views: msdb.dbo.sysjobs, msdb.dbo.sysjobsteps. Commented Feb 4, 2019 at 14:42

2 Answers 2

Reset to default
23

I would say this is "well" documented in Configure a User to Create and Manage SQL Server Agent Jobs, however, "well" would seem to be a bit much; perhaps "touched on" is a better phrase. It does, however, give you the basicsl that there are database roles in msdb that can be used to give the user/login permissions.

If your login doesn't already have a user in msdb first you'll need to create them one:

CREATE USER [YourLogin] FOR LOGIN [YourLogin];

Then you need to provide them with the correct fixed roles; there are 3 of these SQLAgentOperatorRole, SQLAgentReaderRole and SQLAgentUserRole. These are better covered in SQL Server Agent Fixed Database Roles. Then you simply need to use the relevant ALTER command. For example:

USE msdb;
ALTER ROLE SQLAgentReaderRole ADD MEMBER [YourLogin];

To quote the relevant permissions of each role:

SQL Agent User Role:

SQLAgentUserRole is the least privileged of the SQL Server Agent fixed database roles. It has permissions on only operators, local jobs, and job schedules. Members of SQLAgentUserRole have permissions on only local jobs and job schedules that they own. They cannot use multiserver jobs (master and target server jobs), and they cannot change job ownership to gain access to jobs that they do not already own. SQLAgentUserRole members can view a list of available proxies only in the Job Step Properties dialog box of SQL Server Management Studio. Only the Jobs node in SQL Server Management Studio Object Explorer is visible to members of SQLAgentUserRole.

SQL Agent Reader Role:

SQLAgentReaderRole includes all the SQLAgentUserRole permissions as well as permissions to view the list of available multiserver jobs, their properties, and their history. Members of this role can also view the list of all available jobs and job schedules and their properties, not just those jobs and job schedules that they own. SQLAgentReaderRole members cannot change job ownership to gain access to jobs that they do not already own. Only the Jobs node in SQL Server Management Studio Object Explorer is visible to members of the SQLAgentReaderRole.

SQL Agent Operator Role:

SQLAgentOperatorRole is the most privileged of the SQL Server Agent fixed database roles. It includes all the permissions of SQLAgentUserRole and SQLAgentReaderRole. Members of this role can also view properties for operators and proxies, and enumerate available proxies and alerts on the server.

SQLAgentOperatorRole members have additional permissions on local jobs and schedules. They can execute, stop, or start all local jobs, and they can delete the job history for any local job on the server. They can also enable or disable all local jobs and schedules on the server. To enable or disable local jobs or schedules, members of this role must use the stored procedures sp_update_job and sp_update_schedule. Only the parameters that specify the job or schedule name or identifier and the @enabled parameter can be specified by members of SQLAgentOperatorRole. If they specify any other parameters, execution of these stored procedures fails. SQLAgentOperatorRole members cannot change job ownership to gain access to jobs that they do not already own.

The Jobs, Alerts, Operators, and Proxies nodes in SQL Server Management Studio Object Explorer are visible to members of SQLAgentOperatorRole. Only the Error Logs node is not visible to members of this role.

Depending on what actions the user needs to make depends on what role(s) the user needs. you can give the user multiple roles, if needed as well. None of the roles have explicit DENY permissions, so won't stop them from being able to perform specific task; they only enable them to do them.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

"Cannot alter the role 'SQLAgentReaderRole', because it does not exist or you do not have permission." ??
The error is telling you the problem there, @ColinMac. You're either not in the right database, and so the role doesn't exist, or lack the permissions.
I was pointing at the msdb, and I have every role assigned to me - so I should have been able to grant. However - I was able to do it by actually opening up the Security --> Login in the Object Explorer, and manually add the users to this role.
This is almost certainly a case of you were connected to the wrong database then, @ColinMac .
4

Grant user to SQL Agent role in msdb, depends on your requirement. for instance: SQLAgentOperatorRole 

USE msdb
ALTER ROLE SQLAgentOperatorRole ADD MEMBER [yourUser]

Larnu already described in this topic possible roles that can be used

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.