Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Permission to access sys.dm_db_index_usage_stats

So I have a website for internal use which tracks a bunch of stats for employees. One of these is whether they are missing any reports. Since the list of items that don't have reports yet only gets updated every couple days, and there is a 3 day grace period on these reports, I am comparing the Date (releaseDt) that the item was logged as missing a report to the last time the database was updated (@lastupdate). This way, if the reports database hasn't updated but the report is complete, the website isn't ratting someone out for missing a report.

The SQL code works fine with admin level privledges, but for obvious reasons I'm not letting the ASP.NET account have server admin level.

I have set up a SQL account that the ASP.NET C# code uses to log in, and the permissions for everything else are fine. (Read access only for the specific databases it uses.) I can't figure out what to give it access to in order to have access to read this specific dynamic management view.

Would appreciate suggestions using either Management Studio, or using a GRANT SQL statement.

This appears to have related information on the view in question:

sys.dm_db_index_usage_stats (Transact-SQL)

DECLARE @lastupdate datetime
     SELECT @lastupdate = last_user_update from sys.dm_db_index_usage_stats
     WHERE OBJECT_ID = OBJECT_ID('MissingReport')

SELECT 
    COALESCE(Creator, 'Total') AS 'Creator',
    COUNT(*) AS Number, 
    '$' + CONVERT(varchar(32), SUM(Cost), 1) AS 'Cost' 
    FROM MissingReport 
    WHERE NOT( 
        [bunch of conditions that make something exempt from needing a report]
        OR
        (
            DATEDIFF(day,ReleaseDt,@lastupdate) <= 3
        )
    )
    GROUP BY Creator WITH ROLLUP
like image 997
sylverfyre Avatar asked Jul 13 '12 15:07

sylverfyre


1 Answers

You can't grant SELECT on DMVs, since this is prevented by policy for server-scoped DMVs:

GRANT SELECT ON sys.dm_db_index_usage_stats TO peon;

Results in:

Msg 4629, Level 16, State 10, Line 1
Permissions on server scoped catalog views or system stored procedures or extended stored procedures can be granted only when the current database is master.

The BOL page you referenced tells you that you need to grant VIEW SERVER STATE. You would apply this to the login from master:

USE master;
GO
GRANT VIEW SERVER STATE TO peon;
-- if it's a Windows login then:
GRANT VIEW SERVER STATE TO [Domain\peon];

But there isn't a way to do this per database. Not that you should be all that concerned, since even if someone could figure out how to hack into your server with the ASP.NET account credentials, all they can do is see server state, they can't change anything.

like image 106
Aaron Bertrand Avatar answered Oct 22 '22 15:10

Aaron Bertrand