none
SCOM SQL 2014 Management Pack low-privilege permissions documentation incorrect

    Question

  • I run SCOM with the SQL 2014 Management Pack in a low-privilege environment. While profiling a server today I noticed that SCOM is attempting to select from msdb.dbo.syspolicy_policy_execution_history_details_internal but it doesn't have access, as this isn't part of the documented requirements.

    The requirements state that the SCOM account must be in the PolicyAdministratorRole database role in msdb; but that role by default does not permit direct access to the above table.

    I'd log a Connect item but I couldn't find a public one for SCOM.

    Tuesday, February 9, 2016 4:18 AM

All replies

  • Hi there,

    "SCOM is attempting to select from msdb.dbo.syspolicy_policy_execution_history_details_internal but it doesn't have access"

    Is there any error/event in SCOM when monitoring SQL 2014 with this MP ?

    PAUL

    Sunday, February 14, 2016 1:59 PM
  • The first two things I would check:

    1. Is this server in the list of servers that you have distributed this run-as account credential to? It sounds like it could have been pushed to some servers but this one didn't get the credential. This would be found under the "Distribution" section of the User account.

    2. On the SQL server in question - check the security and application logs - is there an event showing failed authentication to the SQL server? Does the ID there match the expected RunAs account you've configured?

    These two steps would verify proper setup - showing that the expected account is the one being attempted. If that all checks out, then you'll need to dive into the required permissions outlined in the MP guide.

    Monday, March 28, 2016 9:02 PM
  • Neither of those are the case, the MP documentation is simply incorrect. Do you know where I can log an item for it?
    Monday, March 28, 2016 11:39 PM