-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDatabasePermissions: New resource proposal #1385
Comments
Did you have a chance to evaluate SQLServerDSC for this use-case: https://github.com/dsccommunity/SqlServerDsc/wiki/SqlDatabasePermission |
On one hand, I like this idea. But on the other hand, I agree with @andikrueger that we should not recreate functionality from other modules. Especially since adding users to roles can mean we also have to add a login in SQL, which requires permissions within the SQL instance. A better solution is to use DSC and SQLServerDsc to update the permissions in SQL. Do keep in mind that SQLServerDsc is created to run on the SQL Server itself and you can run into limitations when trying to configure SQL from a SharePoint server. For more info about these issues, see here. NOTE: Also check out the SQLDatabaseRole resource. |
I understand the concern about recreating the functionality. While the SQLServerDSC has the resources, the implementation adds a lot of resources in a medium sized farm - I'll try to solve this with the DSCWorkshop framework and also add a feature request for Subscription Edition to expose the existing Methods for SQL Role Memberships. There might be a middleground solution for SPDataAccess on Content Databases of Webapplication which would fix the usual Service Application Pool Account permission errors within SharePoint itself without replicating code. The SPWebApplication has a $spWebApplication = Get-SPWebApplication -Identity <WebappName>
$spWebApplication.GrantAccessToProcessIdentity('DOMAIN\User') I didn't find a public method on the SPDatabase class to check if a user is a rolemember, do you have any idea if there is a way? |
Resource proposal
Use Case
SharePoint does not set all the required database permissions on its databases. A example would be the SPDataAccess Role for the Service Application Pool Account which is missing on the Content Databases.
Also the SCOM Management Pack needs db_owner Permissions on every SPDatabase or third Party Tools like SPDocKit
Details
The resource would work similar to
SPShellAdmins
and gets the databases at runtime. Which would save you from adding multiple SQLServerDSC Resources.To target the affected databases they should be selectable by
Failsaves:
Members
Parameter.This could be extended so it takes the objects context into account, but that might be a lot of code for little benefit.
Proposed properties
Parameters
MSFT_SPDatabaseByTypeNamePermissions
MSFT_SPDatabaseByWebApplicationPermissions
Microsoft.SharePoint.PowerShell.SPWebApplicationPipeBind
MSFT_SPDatabaseByServiceApplicationPermissions
Microsoft.SharePoint.PowerShell.SPServiceApplicationPipeBind
Special considerations or limitations
To Prevent PSConfig from removing
db_owner
permissions from a database the registry keyBypassDboDropMember
atHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\16.0\WSS\
must be set to one on every server.Some details at Hinweise zum Sicherheitsupdate für SharePoint Enterprise Server 2016: 10. Oktober 2017. That key works for every SharePoint Version.
The text was updated successfully, but these errors were encountered: