asked
Rights to run Sql profiler
when I told my DBA team to give me rights to run Sql profiler in test server they said giving profiler rights means giving admin rights which is against our policy Can anybody tell me that if a user has Alter trace right to run profiler what else he has access to that is apart from running sql profiler what else he can do with Alter Trace Rights
Having this permission in Dev is exactly what the Dev server is for - you can have elevated privileges on the server to do you job properly so that you dont need them on the Production server. So long as your Dev database and server have the relevant backups then having higher access rights will not bring problems - if you break something then it gets restored and you try again - the production system is left safe and secure where you cannot break it. The details are here
http://msdn.microsoft.com/en-us/library/cc293611.aspx but in essence it is possible to see 'restricted' data in the trace that ordinarily you wouldnt be allowed to see. However, your Dev system should have data that has been anonymised or otherwise obfuscated so that it is not the same as live data. If this hasnt happened then it can easily be done. The Dev server/data should be your area where you can play and break things and learn.
with all due respect to @Bhupendra99, it would have been helpful if the question indicated you were only concerned with "delete, Insert, Create etc" rather than just asking "what else he can do with Alter Trace Rights" reading sensitive information from events in any database on the server (that's what ALTER TRACE gives) is generally considered to be an action that should be restricted. This right also allows you to obtain this information any way you want, not just through SQL profiler so @Fatherjack correctly identifies an action outside of SQL profiler when he points out that "it is possible to see 'restricted' data ... that ordinarily you wouldnt be allowed to see'" in addition to being an information security risk, it's also a performance risk. you can capture very intrusive events that can have a huge impact on server performance. While the ALTER TRACE permission does allow non-administrative users to run a trace, Microsoft (and your DBA team, though they didn't express it accurately) still recommend that ALTER TRACE only be given to "users who are authorized to view sensitive information, such as members of the db_owner database role or sysadmin fixed server role."
Thanks for your reply but My question was If I had rights to run profiler is there anything else I can do with it that is delete ,Insert ,Create etc
15 People are following this question.
