Run this script to grant permissions to the user
To this SQL script:
- Replace all occurrences of TrustedUser with the name of the user.
- There are commented lines at the end of the script; un-comment these lines as appropriate for your environment.
- Run the script (as sysadmin).
use master
grant ALTER TRACE to TrustedUser
grant VIEW SERVER STATE to TrustedUser
grant VIEW ANY DEFINITION to TrustedUser
USE [master]
GO
CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]
GO
USE [msdb]
GO
CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]
GO
grant VIEW DATABASE STATE to TrustedUser
use msdb
EXECUTE sp_addrolemember
@rolename = 'SQLAgentReaderRole',
@membername = 'TrustedUser'
use msdb
EXECUTE sp_addrolemember
@rolename = 'TargetServersRole',
@membername = 'TrustedUser'
grant select on dbo.log_shipping_monitor_history_detail to TrustedUser
grant select on dbo.log_shipping_monitor_primary to TrustedUser
grant select on dbo.log_shipping_monitor_secondary to TrustedUser
grant select on dbo.log_shipping_primary_databases to TrustedUser
grant select on dbo.log_shipping_secondary_databases to TrustedUser
grant select on dbo.log_shipping_primary_secondaries to TrustedUser
grant select on dbo.log_shipping_primaries to TrustedUser
grant select on dbo.log_shipping_secondary to TrustedUser
grant select on dbo.log_shipping_secondaries to TrustedUser
grant select on dbo.sysjobs to TrustedUser
grant select on dbo.sysalerts to TrustedUser
grant select on dbo.sysjobhistory to TrustedUser
grant execute on dbo.sp_help_jobhistory to TrustedUser
grant select on msdb.dbo.syssessions to TrustedUser
grant select on msdb.dbo.sysjobactivity to TrustedUser
use master
grant EXECUTE on xp_servicecontrol to TrustedUser
grant EXECUTE on xp_enumerrorlogs to TrustedUser
grant EXECUTE on xp_readerrorlog to TrustedUser
grant EXECUTE on xp_sqlagent_enum_jobs to TrustedUser
grant execute on xp_regread to TrustedUser
declare @dbnumber int
declare @dbname sysname
declare @use nvarchar(4000)
declare @Quest_dblist table (
row int identity,
name sysname
)
insert into @Quest_dblist (name)
select name from master.dbo.sysdatabases where name not in ('master', 'msdb');
set @dbnumber = @@rowcount
while @dbnumber > 0
begin
select @dbname =name from @Quest_dblist where row = @dbnumber
set @use = N'USE ' + quotename(@dbname)
+ N'CREATE USER [TrustedUser] FOR LOGIN [TrustedUser]';
exec (@use)
set @dbnumber = @dbnumber - 1
end
Grant ALTER ANY EVENT SESSION to TrustedUser
Known issues with this script
The following monitoring functions require sysadmin privileges; hence have known issues and will not work even after using the script:
- Number of virtual log files (VLFs)
- Jobs