We have two developers that say they can not function without full rights to a few jobs on our database server. They both want rights to the same jobs.
Given that it seems that MS doesn't seem to be budging on granting rights to windows groups, I was wondering if anyone had a creative workaround? I can't let them have the system wide agent roles. http://connect.microsoft.com/SQLServer/feedback/details/508137/allow-windows-groups-to-own-sql-agent-jobs
I'm about to create a user and tell these two to log in to a shared account if they want to run/edit their jobs – but then there is no accountability.
Anyone have a creative solution I have missed?
Thanks 🙂
Best Answer
In the past to solve this I've created a web based app to allow users to change jobs. The app connected via a sysadmin login, but only allowed the user to edit/start/stop the jobs that they had access to via the app.
Another option would be to go the single login route, but have auditing enabled for that login specifically and make sure that the auditing tracks the computer name as well as the login. That way if someone does something stupid you've got an audit trail and it'll tie back to their computer.
Group's can't be used to own jobs as the job runs under the context of the job owner.
There does need to be a better security model for jobs however.