Microsoft SQL Server Agent includes a really cool, often unused feature. That is the ability to run SQL Server Agent job steps as another user besides the user account that the SQL Agent runs under. This is done through the authentication mechanism in Microsoft SQL Server called credentials.
Credentials are similar to but different from Logins in SQL Server. Credentials store the username and password just like logins do. But in this case, the credentials are storing a username and password for an outside system, in this typically an Active Directory username and password. The other big difference is that when a password is stored for a login, only the hash is stored. With a credential however SQL Server needs a way to get the password that is being stored, so the password is encrypted instead of being hashed.
The reason that SQL Server needs to be able to retrieve the password, is that when a credential is used, the password isn’t supplied, only the name of the credential is. The SQL Server retrieves the username and password for the credential specified, then uses the username and password.
Credentials are created through management studio under the security section of object explorer, or by using the CREATE CREDENTIAL command in T-SQL. Once the credential is created, users can be given the right to use the credential. This will allow users that don’t have sysadmin rights to the database instance to use the credential. If everyone that sets up SQL Agent Jobs had sysadmin rights, then permissions on credentials don’t need to be adjusted as members of the sysadmin fixed server role can use any credential. You will need to edit the credential and specify while type of job step can be used the credential.
When you create a SQL Server Agent Job of any type other than T-SQL you’ll have an extra drop-down box that will allow you to select the credential that you want to use. Select the credential from the drop-down, and the next time the job runs, the job step will be run as the account specified in the credential.
If using a T-SQL job step, there is no credential option when creating the job step. This is because T-SQL job steps can’t use credentials. Instead for job steps of this type use the EXECUTE AS syntax that is already available to you within the T-SQL Syntax.
DennyContact the Author | Contact DCAC