0

I have an Azure Managed Identity service, I wish to grant it permissions to use the sys.dm_exec_input_buffer function in Azure SQL Database.

According to this documentation, I must grant VIEW SERVER PERFORMANCE STATE permissions.

According to this documentation, this permission is part of the ##MS_ServerStateReader## role.

As specified in the documentation, I have done the following:

--in the master database:
--create the login and add to the correct role:
CREATE LOGIN my_managed_identity_service FROM EXTERNAL PROVIDER --fetch the Managed Identity from the AAD

ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER my_managed_identity_service


--in the sql database: 
--create the user (from login) and assign various permissions:
CREATE USER my_managed_identity_service FOR LOGIN my_managed_identity_service
GRANT CONTROL TO my_managed_identity_service
GRANT VIEW DATABASE PERFORMANCE STATE TO my_managed_identity_service
GRANT VIEW DATABASE STATE to my_managed_identity_service

--everything up to this point works

According to the documentation, I should be able to validate my roles in the master database in two ways: using the sys.server_role_members view or by using the IS_SRVROLEMEMBER function.

However, when I try it, I get inconsistent results.

--using the sys views

SELECT
        member.principal_id         AS MemberPrincipalID
    ,   member.name                 AS MemberPrincipalName
    ,   roles.principal_id          AS RolePrincipalID
    ,   roles.name                  AS RolePrincipalName
FROM sys.server_role_members AS server_role_members
INNER JOIN sys.server_principals    AS roles
    ON server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals    AS member 
    ON server_role_members.member_principal_id = member.principal_id
LEFT OUTER JOIN sys.sql_logins      AS sql_logins 
    ON server_role_members.member_principal_id = sql_logins.principal_id
WHERE member.principal_id NOT IN (-- prevent SQL Logins from interfering with resultset
    SELECT principal_id FROM sys.sql_logins AS sql_logins
        WHERE member.principal_id = sql_logins.principal_id)

--i see my_managed_identity_service as belonging to the ##MS_ServerStateReader## role.

-------------------------------------------------------------------

--using the function:

SELECT IS_SRVROLEMEMBER('##MS_ServerStateReader##','my_managed_identity_service')

--returns 0

Screenshot: enter image description here

It seems that the two ways of validating the same information are in conflict.

In any case, the service still does not have the required permissions. Screenshot: enter image description here

The error is: Msg 262, Level 14, State 1, Line 4 VIEW DATABASE PERFORMANCE STATE permission denied in database 'master'. Msg 297, Level 16, State 1, Line 4 The user does not have permission to perform this action.

I am not sure where to go from here.

mark
  • 47
  • 1
  • 2
  • 9
  • [Please do not upload images of code/data/errors when asking a question.](//meta.stackoverflow.com/q/285551) – Thom A Mar 07 '23 at 16:18
  • From the documenation you linked: *"On SQL Database, if the user is the database owner, the user will see all executing sessions on the SQL Database; otherwise, the user will see only the current session."* You need to be a a member of the `db_owner` role on the database (which would not be `master`) for SQL Databases. – Thom A Mar 07 '23 at 16:20
  • Hi Larnu, I granted `db_owner` role in the database but this did not solve the issue. The error specifies the `master` database. Msg 262, Level 14, State 1, Line 4 VIEW DATABASE PERFORMANCE STATE permission denied in database 'master'. Msg 297, Level 16, State 1, Line 4 The user does not have permission to perform this action. – mark Mar 07 '23 at 16:29
  • What database are you connected to when you run the query? – Thom A Mar 07 '23 at 16:32
  • the SQL database. (not master). as this is the database i am interested in viewing information. – mark Mar 07 '23 at 18:30
  • Isn't this the problem with Azure? You can't access master stuff, therefor, you're smoked. Which kinda makes sense since they run multiple clients on same server and probably don't want you to see what other people are executing? – siggemannen Mar 07 '23 at 18:52
  • Btw, you also have to disconnect for this stuff to gain effect? – siggemannen Mar 07 '23 at 18:54
  • I do not think this is a generalized Azure access problem, since I personally, with my AD server admin account, can do all of this. My issue is that I cannot seem to grant the permissions to another AD account. – mark Mar 07 '23 at 19:09
  • siggemannen you may be correct: https://github.com/MicrosoftDocs/sql-docs/issues/2272 it says that this is impossible on Basic/Standard tiers, only possible in Premium tiers. However, since the time of this thread, Azure SQL has been telling us to move away from DTU pricing model and move to vCore pricing model, which we did. – mark Mar 07 '23 at 21:14

0 Answers0