Access Denied to SSIS server...DCOM permissions...

http://social.msdn.microsoft.com/Forums/en-US/6b0b0773-41eb-40a1-9784-92eaea3c58ee/access-denied-to-ssis-serverdcom-permissions?forum=sqlintegrationservices

SQL Server

SQL Server forums

 > 

SQL Server Integration Services

Question

• 

  I am trying to connect to Integration Services in Management Studio so I can review deployed packages.

  I tried the following but still cannot connect nor add deployed packages to SQL Agent jobs:

   If the user is not a member of the local Administrators group, add the user to the Distributed COM Users group. You can do this in the Computer Management MMC snap-in accessed from the Administrative Tools menu.
  

  1. Open Control Panel, double-click Administrative Tools, and then double-click Component Services to start the Component Services MMC snap-in.
  2. Expand the Component Services node in the left pane of the console. Expand theComputers node, expand My Computer , and then click the DCOM Config node.
  3. Select the DCOM Config node, and then select MsDtsServer in the list of applications that can be configured.
  4. Right-click on MsDtsServer and select Properties .
  5. In the MsDtsServer Properties dialog box, select the Security tab.
  6. Under Launch and Activation Permissions , select Customize , then click Edit to open theLaunch Permission dialog box.
  7. In the Launch Permission dialog box, add or delete users, and assign the appropriate permissions to the appropriate users and groups. The available permissions are Local Launch, Remote Launch, Local Activation, and Remote Activation. The Launch rights grant or deny permission to start and stop the service; the Activation rights grant or deny permission to connect to the service.
  8. Click OK to close the dialog box.
  9. Under Access Permissions , repeat steps 7 and 8 to assign the appropriate permissions to the appropriate users and groups.
  10. Close the MMC snap-in.
  11. Restart the Integration Services service.

  
  

  
  
• ************************************************************************************
•  http://msdn.microsoft.com/en-us/library/ms141053(v=sql.105).aspx
• 
  

Using Integration Services Roles

SQL Server 2008 R2 

SQL Server Integration Services includes the three fixed database-level roles, db_ssisadmin, db_ssisltduser, and db_ssisoperator, for controlling access to packages. Roles can be implemented only on packages that are saved to the msdb database in SQL Server. You assign roles to a package using SQL Server Management Studio. The role assignments are saved to the msdb database.

The following table describes the read and write actions of Windows and fixed database-level roles in Integration Services.

Role	Read action	Write action
db_ssisadmin or sysadmin	Enumerate own packages. Enumerate all packages. View own packages. View all packages. Execute own packages. Execute all packages. Export own packages. Export all packages. Execute all packages in SQL Server Agent.	Import packages. Delete own packages. Delete all packages. Change own package roles. Change all package roles. Important Members of the db_ssisadmin role and the dc_admin role may be able to elevate their privileges to sysadmin. This elevation of privilege can occur because these roles can modify Integration Services packages and Integration Services packages can be executed by SQL Server using the sysadmin security context of SQL Server Agent. To guard against this elevation of privilege when running maintenance plans, data collection sets, and other Integration Services packages, configure SQL Server Agent jobs that run packages to use a proxy account with limited privileges or only add sysadmin members to the db_ssisadmin and dc_admin roles.
db_ssisltduser	Enumerate own packages. Enumerate all packages. View own packages. Execute own packages. Export own packages.	Import packages. Delete own packages. Change own package roles.
db_ssisoperator	Enumerate all packages. View all packages. Execute all packages. Export all packages. Execute all packages in SQL Server Agent.	None
Windows administrators	View execution details of all running packages.	Stop all currently running packages.

The sysssispackages table in msdb contains the packages that are saved to SQL Server. For more information, see sysssispackages (Transact-SQL).

The sysssispackages table includes columns that contain information about the roles that are assigned to packages.

• The readerrole column specifies the role that has read access to the package.
• The writerrole column specifies the role that has write access to the package.
• The ownersid column contains the unique security identifier of the user who created the package. This column defines the owner of the package.

By default, the permissions of the db_ssisadmin and db_ssisoperator fixed database-level roles and the unique security identifier of the user who created the package apply to the reader role for packages, and the permissions of the db_ssisadmin role and the unique security identifier of the user who created the package apply to the writer role. A user must be a member of the db_ssisadmin, db_ssisltduser, or db_ssisoperator role to have read access to the package. A user must be a member of the db_ssisadmin role to have write access.

The fixed database-level roles work in conjunction with user-defined roles. The user-defined roles are the roles that you create in SQL Server Management Studio and then use to assign permissions to packages. To access a package, a user must be a member of the user-defined role and the pertinent Integration Services fixed database-level role. For example, if users are members of the AuditUsers user-defined role that is assigned to a package, they must also be members of db_ssisadmin, db_ssisltduser, or db_ssisoperator role to have read access to the package.

If you do not assign user-defined roles to packages, access to packages is determined by the fixed database-level roles.

If you want to use user-defined roles, you must add them to the msdb database before you can assign them to packages. You can create new database roles in SQL Server Management Studio.

The Integration Services database-level roles grant rights on the Integration Services system tables in the msdb database, but not on the DTS system tables, such as sysdtspackages in the msdb database. You have to grant users rights on the DTS system tables before they can perform certain management tasks, such as importing a DTS package in Management Studio. For more information about DTS support, see Support for Data Transformation Services (DTS) in SQL Server 2008.

Step 1: Open Object Explorer and Connect to Integration Services

---

Before you can assign roles to packages by using SQL Server Management Studio, you must open Object Explorer in SQL Server Management Studio and connect to Integration Services.

The Integration Services service must be started before you can connect to Integration Services.

To open Object Explorer and connect to Integration Services

1. Open SQL Server Management Studio.
2. Click Object Explorer on the View menu.
3. On the Object Explorer toolbar, click Connect, and then click Integration Services.
4. In the Connect to Server dialog box, provide a server name. You can use a period (.), (local), or localhost to indicate the local server.
5. Click Connect.

Step 2: Assign Reader and Writer Roles to Packages

---

You can assign a reader and a writer role to each package.

Assign a reader and writer role to a package

1. In Object Explorer, locate the Integration Services connection.
2. Expand the Stored Packages folder, and then expand the subfolder that contains the package to which you want to assign roles.
3. Right-click the package to which you want to assign roles.
4. In the Packages Roles dialog box, select a reader role in the Reader Role list and a writer role in the Writer Role list.
5. Click OK.

Create a User-Defined Role

---

SQL Server (the MSSQLSERVER service) must be started before you can connect to the Database Engine and access the msdb database.

To create a user-defined role

1. Open SQL Server Management Studio.
2. Click Object Explorer on the View menu.
3. On the Object Explorer toolbar, click Connect, and then click Database Engine.
4. In the Connect to Server dialog box, provide a server name and select an authentication mode. You can use a period (.), (local), or localhost to indicate the local server.
5. Click Connect.
6. Expand Databases, System Databases, msdb, Security, and Roles.
7. In the Roles node, right-click Database Roles, and click New Database Role.
8. On the General page, provide a name and optionally, specify an owner and owned schemas and add role members.
9. Optionally, click Permissions and configure object permissions.
10. Optionally, click Extended Properties and configure any extended properties.
11. Click OK.

Stay Up to Date with Integration Services For the latest downloads, articles, samples, and videos from Microsoft, as well as selected solutions from the community, visit the Integration Services page on MSDN or TechNet: Visit the Integration Services page on MSDN Visit the Integration Services page on TechNet For automatic notification of these updates, subscribe to the RSS feeds available on the page.

*********************************************************************************

http://sqlbuzz.wordpress.com/2011/12/07/connecting-to-the-integration-services-service-on-the-computer-mirrorstand-failed-with-the-following-error-access-is-denied/

• CONNECTING TO THE INTEGRATION SERVICES SERVICE ON THE COMPUTER “MIRRORSTAND” FAILED WITH THE FOLLOWING ERROR: “ACCESS IS DENIED
• In this Blog post let’s see how to fix DCOM Permissions issue for an user who receives below error when trying to connect to “SSIS” Remotely from a remote machine.

  The Error Message you’ll receive when you are not granted required DCOM permissions is..

  Connecting to the Integration Services service on the computer “mirrorstand” failed with the following error: “Access is denied.
  “.This error occurs when the computer has not been configured to allow remote connections through DCOM, or the user does not have permission to access the SQL Server Integration Services service through DCOM.

  

  Note: The SSIS Server which I’m trying to connect is “MirrorStand”. The login which I’m trying to connect is ‘SREE\HR1″ So, how to fix this Error?

  Solution: Step 1: Log on to SSIS Server and Go to Component Services in Administrative Tools as shown below.

  

  Step2: Navigate to DCOM Config ->MsDtsServer100 as shown below.

  

  Step 3: Right Click on MsDtsServer100 and go to Properties and navigate to “Security” tab as shown below.

  

  Step 4: Click “EDIT” beside all the three Options(Launch and Activation Permissions, Access Permissions and Configuration Permissions) shown in the above screenshot…

  Once you click on ‘Edit’ button you will get the below screen where you’ve to add the required login as shown below.

  

  

  

  Once adding in DCOM – component services is completed, then navigate to “Users and Groups” in computer Management and add the login in “Distributed Com Users” Windows Group as shown below.

  

  Once you are done with adding the above shown DCOM permissions, you have to Restart SSIS Service. Then the login(user) should be able to connect to SSIS remotely.

  As you can see below in the screenshot, I’m able to connect to SSIS Remotely (from a different machine, “Node1″ in my case ) as ‘Hr1′ Login.