Sign in
 
HomeOnline20132010Other VersionsRelated ProductsLibraryForumsGallery
TechCenter >
The EXECUTE permission was denied on the object. Multiple Alerts

Answered The EXECUTE permission was denied on the object. Multiple Alerts

  • Friday, August 17, 2012 3:26 PM
     
     
    Sign In to Vote
    0

    Hi Guys,

    I have seen a number of threads for specific versions of these errors but not anything explaining why they are occurring.

    I am currently seeing issues in our SCOM 2007 monitoring platform for random permission errors.

    > The EXECUTE permission was denied on the
    object 'proc_SecAddUser', database
    'SharePoint_AdminContent_15a79e93-ee8c-4bbf-88e3-e4cfffe391c1', schema 'dbo'.
    The EXECUTE permission was denied on the object 'proc_AddListItem', database
    'SharePoint_AdminContent_15a79e93-ee8c-4bbf-88e3-e4cfffe391c1', schema 'dbo'.
    The EXECUTE permission was denied on the object 'proc_UpdateDiskUsed', database
    'SharePoint_AdminContent_15a79e93-ee8c-4bbf-88e3-e4cfffe391c1', schema 'dbo'

    These alerts are coming in for random users and random stored procedures. Recently a user was being denied EXECUTE permissions over the proc_SecGetUserAccountDirectoryPath. In order to resolve this we granted the WSS_Content_Application_Pools database role explict EXECUTE permission over the stored procedure.

    This fixed the issue for that individual user and stored procedure but it is now occurring for others. Obviously I could simply add the EXECUTE permission to every reported stored procedure but this is a bit of a pain.

    Does anyone know why the WSS_Content_Application_Pools database role does not already have these permissions. I would assume it should be able to perform all stored procedure as it needs.

    If anyone could shed some light on the best way to deal with these alerts as having to manually add the EXECUTE permission everytime doesn't really seem like the best solution.

    Thanks

    James

    MCTS: Windows Server 2008 Active Directory, Configuring MCTS: Windows 7, Configuring

     

All Replies

  • Monday, August 20, 2012 8:10 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi James,

    For this issue, based on your error, it seems that they all relate to “SharePoint_AdminContent_15a79e93-ee8c-4bbf-88e3-e4cfffe391c1”, so based on my understanding, the user does not have enough permissions to the “SharePoint_AdminContent_15a79e93-ee8c-4bbf-88e3-e4cfffe391c1” database. Please check it.

    If it’s not the issue, please feel free to let me know.

    Regards,

    Kelly Chen

     
  • Monday, August 20, 2012 1:01 PM
     
     
    Sign In to Vote
    0

    Hi Kelly,

    You are correct that the user doesn't seem to have the right permissions but I am more wondering if anyone can advise why the WSS_Content_Application_Pool database role does't not have these permissions?

    Surely it should have access over all stored proceedures? At the moment I am having to wait for the alerts to come in on SPHA and then manually add each and every permission as and when it occurs. This doesn't seem right to me and is frankly a bit of a nightmare.

    I don't believe we have had to do this in the past. So i wonder if there were any updates or such that are know to cause this behaviour?

    Thanks

    James

    MCTS: Windows Server 2008 Active Directory, Configuring MCTS: Windows 7, Configuring

     
  • Tuesday, August 21, 2012 1:20 AM
    Moderator
     
     Answered
    Sign In to Vote
    0

    Hi James,

    The WSS_CONTENT_APPLICATION_POOLS database role applies to the application pool account for each Web application that is registered in SharePoint. This enables the Web applications to query and update the site map, and have read-only access to other items in the configuration database.

    Members of the WSS_CONTENT_APPLICATION_POOLS role are granted the execute permission for a subset of the stored procedures for the database. In addition, members of this role are granted the select permission to the Versions table (dbo.Versions) in the SharePoint_AdminContent database. For other databases, the accounts planning tool indicates that access to read these databases is automatically configured. In some cases, limited access to write to a database is also automatically configured.

    More information about “Account permissions and security settings”:

    http://technet.microsoft.com/en-us/library/cc678863.aspx

    Regards,

    Kelly Chen

    • Marked As Answer by Jamesatighe Tuesday, August 21, 2012 9:06 AM
    •  
     
  • Tuesday, August 21, 2012 9:11 AM
     
     
    Sign In to Vote
    0

    Hi Kelly,

    Thanks for that. It explains why were are getting these errors. The stored proceedures we are needed to add permissions for are not any that are added automatically.

    Therefore we need to decide whether we ignore the alert or grant the EXECUTE permission.

    Thanks for you help

    James

    MCTS: Windows Server 2008 Active Directory, Configuring MCTS: Windows 7, Configuring