Skip to content

Latest commit

 

History

History
33 lines (24 loc) · 1.59 KB

arc-enabled-roles.md

File metadata and controls

33 lines (24 loc) · 1.59 KB
author ms.author ms.date ms.service ms.topic
MikeRayMSFT
mikeray
04/25/2024
sql
include

When you install Azure extension for SQL Server, the installation:

  1. Creates a server level role: SQLArcExtensionServerRole

  2. Creates a database level role: SQLArcExtensionUserRole

  3. Adds NT AUTHORITY\SYSTEM* account to each role

  4. Maps NT AUTHORITY\SYSTEM* at the database level for each database

  5. Grants minimum permissions for the enabled features

    *Alternatively, you can configure [!INCLUDE ssazurearc] to run in least privilege mode (available in preview). For details, review Operate SQL Server enabled by Azure Arc with least privilege (preview).

In addition, Azure extension for SQL Server revokes permissions for these roles when they're no longer needed for specific features.

SqlServerExtensionPermissionProvider is a Windows task. It grants or revokes privileges in SQL Server when it detects:

  • A new SQL Server instance is installed on the host
  • SQL Server instance is uninstalled from host
  • An instance level feature is enabled or disabled or settings are updated
  • Extension service is restarted

Note

Prior to the July, 2024 release, SqlServerExtensionPermissionProvider is a scheduled task. It runs hourly.

For details, review Configure Windows service accounts and permissions for Azure extension for SQL Server.

If you uninstall Azure extension for SQL Server, the server and database level roles are removed.