Minimum user permissions required for documenting in ApexSQL Doc

Applies to
ApexSQL Doc

Summary
This article provides information about minimum user permissions required for documenting in ApexSQL Doc, a SQL server, SSIS, SSAS, SSRS and Tableau server documentation tool.

Description

Requirements for creating SQL Server database engine documentation on a local server

To begin the documentation process in ApexSQL Doc, at least one database engine must be specified within the local server, using Windows authentication:

or using SQL Server authentication:

Permissions required to generate a database documentation depend on the database objects within particular database and its granted permissions Minimum user permissions requires granted full access to the dbo user, matched with its default database role (dbo_owner) and schema (dbo), in order to document all objects within the particular database.


Requirements for creating SQL Server database engine documentation on a remote server

For documenting database from a remote SQL server, it is required to have Login permission (as a member of a server role) or shared Windows authentication from the system owner. Any other permission depends on the remote database and server settings (especially for dbo granted roles):

The most common way to connect to a remote SQL Server is with SQL Server authentication, where username and password must be provided, and with permission granted by the system owner, through guest IP address inclusion on remote SQL Server:

Requirements for creating Integration services documentation

When documenting SSIS packages from a local SQL Server and especially from SSIS package store (SQL Server 2005 and higher), ApexSQL Doc needs to be run with Windows administrator privileges. Without those privileges, documenting SSIS packages is not possible and ApexSQL Doc displays information about Administrator privileges requirement:

If particular SSIS package files are encrypted, non-administrator users must provide the password to document these packages. If the credentials are not valid or entered, that particular SSIS package will not be included in generated documentation.

Before any attempt of documenting SSIS package with encryption, the following message will be displayed, informing user that valid credentials must be entered:

In order to properly document encrypted packages, the user is required to enter valid credentials (a password) for the particular package in the dedicated field:

Requirements for creating SSAS documentation

To document SSAS databases in ApexSQL Doc, Multidimensional or Tabular Databases must be added within the local Analysis services server:

There are no special user permissions required to generate SSAS documentation in ApexSQL Doc, within Administrator privileges.

Requirements for creating SSRS documentation

There are no special user permissions required for creating a SSRS documentation from Reporting Services within a local SQL server and Administrator role. However, for Native and SharePoint web servers, valid administrative or user credentials are required. If not, ApexSQL Doc will notify the user in order to enter them.

Requirements for creating Tableau server documentation

There are no special user permissions required for creating a Tableau server documentation from Tableau Server or Tableau Online. However, to connect to both Tableau Server and Tableau online, valid administrative or user credentials are required. If not, ApexSQL Doc will notify the user in order to enter them:

Troubleshooting

Error messages (via GUI and CLI) related to insufficient permissions?

The following error message appears when trying to document databases from remote SQL Server without any permissions granted:

Cannot connect to <RemoteServerName>.

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 – Could not open a connection to SQL Server).

When trying to document databases from remote server via ApexSQL Doc CLI, the following return code is displayed:

ApexSQL Doc 2016, Copyright (C) 1999-2016 ApexSQL LLC

Failed connecting to <RemoteServerName>.

Trying to document SSIS packages from local SQL server or SSIS Package store without Windows Administrator privileges, will trigger the following message:

Access is denied. By default, only administrators have access to the Integration services service. On Windows Vista and later, the process must be running with administrative privileges in order to connect to the Integration services service

The following message is displayed when trying to document SSIS packages via ApexSQL Doc CLI, without Administrator privileges:

ApexSQL Doc 2016, Copyright (C) 1999-2016 ApexSQL LLC

Access is denied. By default, only administrators have access to the Integration services service. On Windows Vista and later, the process must be running with administrative privileges in order to connect to the Integration services service

Troubleshooting insufficient permissions

dbo permissions are minimum user requirements for documenting a database from a remote SQL Server. Without those, an instance of the remote SQL Server could still be visible in ApexSQL Doc, but only permissioned database objects will be included in the generated documentation. Before any attempt at documenting the database from remote SQL Server, with limited access, the user will be notified with following message:

Some objects might not be documented correctly or completely, because of the limited access rights to specific databases.

The minimum user permissions required for documenting SSRS in Native mode are My Reports and Content Manager user roles within Folder Security settings. If one or both of these user roles are not applied, the user will be warned about restricted access to the specific server and will not be able to create SSRS documentation in ApexSQL Doc:

Access to the <ReportingServiceItem> is restricted in Native mode of Reporting services service. Please provide valid credentials in order to document <ReportingServiceItem>.