Sql-server – SSIS Package Security

sql serversql-server-2008-r2ssis

I am writing a Package for one of my client according to his requirements. Package development is totally complete now time is to protect it with some security.
Is this possible I encrypt all the data with password so no one can open package file(.dtsx) ? and when some one want to execute package he require some other password instead of which I used to protect package file.

Best Answer

This is not native functionality. You can encrypt: Nothing, Sensitive items, Everything. There is no capability to assign one key for development and one for execution.

Instead, the way to restrict execution is through proper security, which is never the last item. If the SSIS package is loading a database, you ensure that only the correct user(s) can do connect/write to the database. If you store the packages in the database, deny them the ability to run the packages. If it's on the file system, set the proper ACL so they can not get to them.

Related Solutions

SQL Server 2008 – SSIS Package Configurations Ignored

You must take into account that when running by BIDS the package will take first the variable value from the config file, and only if the config file doesn't exist, it will throw a warning and the value will be taken from the package.

Now, the situation in command line is a bit different. You can have the following situations:

run the package in cmd line without any config file chosen:
```
dtExec /file "e:\Work\TestPackageConfiguration\TestPackageConfiguration\TestPackage.dtsx"
```
- if the original config file (let's name it Prod) doesn't exist in the same path defined in the metadata of the package, values from inside the package are used and you'll just receive a warning that config file is missing;
- if the original config file exists and is valid, then values from the config file will be used (inner values will be bypassed);
run the package in cmd line without any config file chosen, but with variable set in the call:
```
dtExec /file "e:\Work\TestPackageConfiguration\TestPackageConfiguration\TestPackage.dtsx" /SET \Package.Variables[checkMe];"outside the package in cmd line"
```
- if the original config file doesn't exist, then the value is taken from the /SET package call;
- if the original config file does exist, then the value is taken from the config file and even the /SET is ignored (this is used only in the case above);
run the package in cmd line with a new config file (let's say DEV instead Prod):
```
dtExec /file "e:\Work\TestPackageConfiguration\TestPackageConfiguration\TestPackage.dtsx" /configFile "c:\ETL Config\TestPackage_config_Dev.dtsConfig"
```
- if the new config (Dev) file exists, and old (Prod) doesn't, then values from it are used;
- if both the Dev and Prod config file exist, then only values from Prod is used (DEV is bypassed even if specified in command line call);

run the package in cmd line with a new config file and a SET statement in the call:

dtExec /file "e:\Work\TestPackageConfiguration\TestPackageConfiguration\TestPackage.dtsx" /configFile "c:\ETL Config\TestPackage_config_Dev.dtsConfig" /SET \Package.Variables[checkMe];"outside the package in cmd line - DEV config"

if both config files exist, Prod will be used, all others ignored, even the SET;
if no config file exists, SET value will be used;

So, in short, if you want to use a new config file you'll have to rename/move the old one and call the package with /configFile. If that's not enough and want to override even new config file, then use the /SET variable. Or you can bypass any config file and just use /SET statements in the batch call.

Hopefully that will shed some light in your possibilities.

Sql-server – SSIS Package Validation Error when Executed From Windows Task Scheduler

I could not resolve this issue and changed my approach to utilize a SQL Job instead of running the package directly from a powershell script.

Summary of solution:

SQL Job with one Job Step
The Job Step executes the SSIS package

To run a SQL Job with a custom you must also create:

an instance-level Credential
a Proxy Account which should be mapped to the Credential

I still wonder what's different about this approach versus the 'interactive' approach listed above. Both approaches run with the exact same identity and privileges!

For an in-depth description of the steps required to configure a SQL Job, look at this example code for Automated Deployment of a SQL Job and Job Step.

Hope this helps someone else in the same situation -

Best Answer

Related Solutions

SQL Server 2008 – SSIS Package Configurations Ignored

Sql-server – SSIS Package Validation Error when Executed From Windows Task Scheduler

Related Question