With this post I want to show you how you can make a central management server (CMS) selective for different user accounts so that you can use public and management roles, only showing the servers that are necessary to do your job. This enables you to only maintain one CMS, but show different servers (and even groups) dependent of your role (operator, junior DBA, Sys DBA,…) these roles are only limited by your needs and imagination.
First I looked into Row- and Cell-Level Security
With this post I want to show you how you can make a central management server (CMS) selective for different user accounts so that you can use public and management roles, only showing the servers that are necessary to do your job. This enables you to only maintain one CMS, but show different servers (and even groups) dependent of your role (operator, junior DBA, Sys DBA,…) these roles are only limited by your needs and imagination.
First I looked into Row- and Cell-Level Security (http://technet.microsoft.com/library/Cc966395 )
And then I tried to implement parts of this technique on the CMS.
Key is that first you have to define the roles needed for this, so for arguments sake let’s create the 3 roles defined in the introduction.
First thing to do is to create these database roles
USE [msdb]
GO
CREATE ROLE [CMS_JuniorDBA]
GO
CREATE ROLE [CMS_Operator]
GO
CREATE ROLE [CMS_Management]
GO
These roles are just placeholders, and will only contain logins (AD groups or SQL logins)
For this hack to function correctly you have to create CMS groups that have (the same) meaningful names so we can map these to the database roles that we created in the previous step.
Please note that the server name in a CMS is unique (being a bit creative here by adding ports or DNS aliases for example can go a long way though)
Prerequisites
Stop all recurring agent jobs on our victim… eugh CMS
To be on the same site, make sure that there are no executing jobs on your server, this is especially trough if your CMS is also a central job server MSX. You can do this by using the following statement:
EXEC msdb.dbo.sp_update_job @job_name=‘SQL Agent Job 1’,@enabled = 0
GO
EXEC msdb.dbo.sp_update_job @job_name=‘ SQL Agent Job 2’,@enabled = 0
GO
Preparing the view to be altered
Please note that everything that follows in this post is not supported by Microsoft, and any CU or SP can (and probably will) undo this change. You bare the full responsibility of implementing this change, so please test this before implementing on a production environment.
Stop the SQL Server instance that is hosting your CMS in the SQL Server configuration manager.
Open command prompt as Admin and go to SQL server bin directory
Example: C:\Program Files\Microsoft SQL Server\<Instance Dir> \MSSQL\Binn
Start SQL Server in single user mode. When you start SQL Server in single user mode it’s always better to limit the app that can connect to SQL to prevent other applications or (un)helpful sidekicks to connect first and lock you out.
Example:- sqlservr -m”SQLCMD” -s<instance id>
Open another command prompt window and start SQLCMD with DAC
Command:- sqlcmd -A -S.\ <instance name>
Execute the following commands (line by line)
1> USE msdb
2> Go
1> update sys.sysschobjs set status = 917504 where name =’sysmanagement_shared_registered_servers’
2> GO
3> update sys.sysschobjs set status = 917504 where name =’sysmanagement_shared_server_groups’
4> GO
Exit single user mode (Ctrl-C)
Restart the server using the SQL Server Configuration Manager
Now both views should be visible in MSDB as user views.
We have to be careful here, the query that uses these views when querying the CMS uses a fixed query plan, so the possible alterations are quite limited. We can alter everything we need for this hack to work, but because of this limitation we can only alter the query in such a way that it doesn’t change the execution plan.
The workaround that I used is to use functions in combination with a case structure. Also note the sequence of the CASE structure. The sysadmin role check is explicitly defined on the bottom of the structure (otherwise your junior DBA might end up seeing more than what he can cope with ;-)
CREATE FUNCTION [dbo].[sysmanagement_custom_CMS] (@server_group_id int)
RETURNS int
WITH EXECUTE AS CALLER
AS
BEGIN
declare @return_value int
declare @group_name sysname
declare @parent_id int
declare @parent_name sysname
select
@group_name=name,
@parent_id=parent_id
from msdb.dbo.sysmanagement_shared_server_groups
where server_group_id =@server_group_id
select
@parent_name=name
from msdb.dbo.sysmanagement_shared_server_groups
where server_group_id = @parent_id
select @return_value=case
when IS_ROLEMEMBER(‘CMS_Management’)=1 and @parent_name = ‘Management’ then 1
when IS_ROLEMEMBER(‘CMS_JuniorDBA’)=1 and @parent_name = ‘CMS_JuniorDBA’
and substring(SYSTEM_USER,1,3)=‘DEV’ then 1
— Use this code if you have separate dev/test/prod domains
when IS_ROLEMEMBER(‘CMS_JuniorDBA‘)=1 and @parent_name = ‘Public’ and
substring(SYSTEM_USER,1,3)=‘ONT’
and @group_name=‘SQL – Development’ then 1
— Use this code to select specific groups in the CMS
when IS_ROLEMEMBER(‘CMS_JuniorDBA‘)=1 and @parent_name = ‘Public’ and substring(SYSTEM_USER,1,3)=‘ONT’
and @group_name=‘SQL – Test’ then 1
when IS_ROLEMEMBER(‘CMS_Operator’)=1 and @parent_name = ‘CMS_Operator’
and @group_name=‘SQL – Production’ then 1
when IS_SRVROLEMEMBER(‘sysadmin’)=1 then 1
else 0
end
return @return_value
END
Now you can use this function in the views used by the CMS.
Example
USE [msdb]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER VIEW [dbo].[sysmanagement_shared_registered_servers]
AS
(
SELECT server_id, server_group_id, name, server_name, description, server_type
FROM [msdb].[dbo].[sysmanagement_shared_registered_servers_internal]
WHERE [dbo].[sysmanagement_custom_CMS] (server_group_id)=1
)
GO
Ok fill up your CMS, and deposit your server in the correct groups, by doing this they will be displayed if the user has the correct role. You can by using the same code alter the second view so that you can only see the groups you’re allowed to see.
© 2023 Kohera
Crafted by
© 2022 Kohera
Crafted by
Cookie | Duration | Description |
---|---|---|
ARRAffinity | session | ARRAffinity cookie is set by Azure app service, and allows the service to choose the right instance established by a user to deliver subsequent requests made by that user. |
ARRAffinitySameSite | session | This cookie is set by Windows Azure cloud, and is used for load balancing to make sure the visitor page requests are routed to the same server in any browsing session. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category. |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
CookieLawInfoConsent | 1 year | CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie. |
elementor | never | The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | Cloudflare set the cookie to support Cloudflare Bot Management. |
pll_language | 1 year | Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way. |
Cookie | Duration | Description |
---|---|---|
_ga | 1 year 1 month 4 days | Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. |
_ga_* | 1 year 1 month 4 days | Google Analytics sets this cookie to store and count page views. |
_gat_gtag_UA_* | 1 minute | Google Analytics sets this cookie to store a unique user ID. |
_gid | 1 day | Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. |
ai_session | 30 minutes | This is a unique anonymous session identifier cookie set by Microsoft Application Insights software to gather statistical usage and telemetry data for apps built on the Azure cloud platform. |
CONSENT | 2 years | YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. |
vuid | 1 year 1 month 4 days | Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website. |
Cookie | Duration | Description |
---|---|---|
ai_user | 1 year | Microsoft Azure sets this cookie as a unique user identifier cookie, enabling counting of the number of users accessing the application over time. |
VISITOR_INFO1_LIVE | 5 months 27 days | YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface. |
YSC | session | Youtube sets this cookie to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt-remote-device-id | never | YouTube sets this cookie to store the user's video preferences using embedded YouTube videos. |
yt.innertube::nextId | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
WFESessionId | session | No description available. |