-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read-only permission to view query text #53572
Comments
For example, here's a custom role that can be used in combination with the built-in "Reader" role:
|
@desmondgc |
@danimir Can you please help here regarding the custom role that can be created for this? |
Can you try to create a custom role with allowing the following actions: Microsoft.Sql/servers/databases/read Please let me know if this worked for you? |
@desmondgc Please let us know if you need any further help with this. |
@desmondgc If there are no questions at this time. We will go ahead and close this thread for now.Please get back to us if you need any further help. |
Hi {
"actions": [
"Microsoft.Sql/servers/databases/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.Sql/servers/databases/queryStore/read",
"Microsoft.Sql/servers/databases/queryStore/write",
"Microsoft.Sql/servers/databases/topQueries/read",
"Microsoft.Sql/servers/databases/topQueries/statistics/read",
"Microsoft.Sql/servers/databases/topQueries/queryText/action",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/extensions/read",
"Microsoft.Sql/servers/databases/queryStore/write",
"Microsoft.Sql/servers/databases/*/read",
"Microsoft.Sql/servers/databases/topQueries/statistics/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Sql/servers/automaticTuning/read",
"Microsoft.Sql/locations/databaseOperationResults/read",
"Microsoft.Sql/servers/databases/queryStore/queryTexts/read",
"Microsoft.DBforPostgreSQL/servers/queryTexts/action",
"Microsoft.DBforPostgreSQL/servers/queryTexts/read",
"Microsoft.DBforPostgreSQL/servers/waitStatistics/read",
"Microsoft.DBforPostgreSQL/performanceTiers/read",
"Microsoft.DBforPostgreSQL/operations/read",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/configurations/read",
"Microsoft.DBforPostgreSQL/servers/databases/read",
"Microsoft.DBforPostgreSQL/servers/logFiles/read",
"Microsoft.DBforPostgreSQL/servers/replicas/read",
"Microsoft.DBforPostgreSQL/servers/topQueryStatistics/read",
"Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.DBforPostgreSQL/serversv2/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.DBforPostgreSQL/singleservers/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.DBforPostgreSQL/servers/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.DBforPostgreSQL/servers/migrations/read",
"Microsoft.DBforPostgreSQL/servers/advisors/recommendedActions/read",
"Microsoft.DBforPostgreSQL/servers/advisors/read"
],
"not_actions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
]
} Which such role developer gets below error: Query text is available only when Contributor role is assigned (which have "*" actions) My goal - a read-only role that can see query performance text. |
Without the ability to view query text, Query Performance Insight is not particularly useful. We'd like to allow developers to review top resource-consuming/long-running queries in production but without granting privileged roles like Contributor/SQL DB Contributor. They should not be able to create/manage databases, for example.
It appears as though this is possible using custom roles. Could you provide some guidance exactly which permissions are required? And maybe a hint on the page that it is possible instead of the current "all or nothing" phrasing.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: