Permissions
Published 31 January 2017
These are the minimum permissions required to run SQL Monitor and monitor your servers. To test the permissions, see Testing data collection methods
If you want to access SQL Monitor through a firewall, check the firewall requirements.
Web service account
- The account should have Log on as service rights. For information on how to assign these permissions, see Add the Log on as a service right to an account.
- The account should have Full Control over the folder
C:\Documents and Settings\All Users\Application Data\Red Gate\SQL Monitor. For Vista and Windows 7:C:\ProgramData\Red Gate\SQL Monitor. - The account should have Full Control over the folder
C:\Documents and Settings\All Users\Application Data\Red Gate\Logs\SQL Monitoror equivalent location. - The account should be able to reserve the port the web service is configured to use. If the user is not a local admin, run the following substituting the correct values for your installation:
netsh http add urlacl url=http://*:8080/ user=yourdomain\youruser
As of version 7.0.6, for performance reasons, the website accesses the data repository for data directly. This means that if the repository is being accessed with Windows authentication, then the identity that the website runs as should have appropriate access to the repository database (as listed below under "Monitoring service Account") :
- If the website is the stand-alone website, then the SQL Monitor website service should be configured (via service manager) to run as an appropriate Windows user.
- Or, if the website is hosted in IIS, then the application pool used for the SQL Monitor website should be configured with an appropriate Windows user identity.
The SQL Monitor Web Service is not installed if you use IIS as your Web Server.
Monitoring service account
- The account should have Log on as service rights. For information on how to assign these permissions, see Add the Log on as a service right to an account.
- The account should have Full Control over the folder
C:\Documents and Settings\All Users\Application Data\Red Gate\Logs\SQL Monitor. For Vista and Windows 7 :C:\ProgramData\Red Gate\Logs\SQL Monitor. - The login should be a member of the db_owner database role on the Data Repository database (called RedGateMonitor by default).
Monitoring host Windows machines
- The account should be an administrator on the remote Windows host machine.
- The account should have login rights locally on the machine where the base monitor is installed, so that SQL Monitor can authenticate the account.
Monitoring SQL Server instances
The account used to monitor your SQL Server instance should have the following permissions:
- member of the db_datareader role on the msdb system database.
- member of SQLAgentReader role on the msdb system database.
- member of the db_ddladmin database role on all databases (needed to run sys.dm_db_index_physical_stats() required by the Fragmented index alert).
- VIEW ANY DEFINITION server permission.
- ALTER TRACE server permission (if you want to enable trace data).
- VIEW SERVER STATE and VIEW DATABASE STATE database permissions on all databases.
- sysadmin role required for Integrity check overdue alerts (to run DBCC DBINFO) and to allow SQL Monitor to turn on the deadlock trace flag (this flag is required for Deadlock alerts to be raised; you can turn on the flag manually if you don't want to enable sysadmin permissions).
- member of the db_owner role on the tempdb database.
- EXECUTE on xp_readerrorlog.
