| Author | Chrissy LeMaire (@cl), netnerds.net |
| Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Grant-DbaAgPermission on GitHub.
Want to see the Bill Of Health for this command? Check out Grant-DbaAgPermission.
Grants specific permissions to logins for availability groups and database mirroring endpoints.
Grants permissions to SQL Server logins for availability groups (Alter, Control, TakeOwnership, ViewDefinition) and database mirroring endpoints (Connect, Alter, Control, and others). Essential for setting up high availability and disaster recovery scenarios where service accounts or users need access to manage or connect to availability group resources. Windows logins are automatically created if they don't exist on the target instance, simplifying multi-server availability group deployments.
Grant-DbaAgPermission
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Login] <String[]>]
[[-AvailabilityGroup] <String[]>]
[-Type] <String[]>
[[-Permission] <String[]>]
[[-InputObject] <Login[]>]
[-EnableException]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
PS C:\> Grant-DbaAgPermission -SqlInstance sql2017a -Type AvailabilityGroup -AvailabilityGroup SharePoint -Permission CreateAnyDatabase
Adds CreateAnyDatabase permissions to the SharePoint availability group on sql2017a. Does not prompt for confirmation.
PS C:\> Grant-DbaAgPermission -SqlInstance sql2017a -Type AvailabilityGroup -AvailabilityGroup ag1, ag2 -Permission CreateAnyDatabase -Confirm
Adds CreateAnyDatabase permissions to the ag1 and ag2 availability groups on sql2017a. Prompts for confirmation.
PS C:\> Get-DbaLogin -SqlInstance sql2017a | Out-GridView -Passthru | Grant-DbaAgPermission -Type EndPoint
Grants the selected logins Connect permissions on the DatabaseMirroring endpoint for sql2017a
Specifies whether to grant permissions on database mirroring endpoints or availability groups. Use 'Endpoint' for database mirroring endpoint permissions or 'AvailabilityGroup' for AG-level
permissions.
Endpoint permissions are needed for replicas to communicate, while AvailabilityGroup permissions control AG management operations.
| Alias | |
| Required | True |
| Pipeline | false |
| Default Value | |
| Accepted Values | Endpoint,AvailabilityGroup |
The target SQL Server instance or instances.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies the SQL Server logins that will receive the permissions. Windows logins are automatically created if they don't exist on the target instance.
Use this when you need to grant permissions to specific service accounts or users for availability group operations.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which availability groups to grant permissions on. Required when using Type 'AvailabilityGroup'.
Use this to limit permission grants to specific AGs rather than all availability groups on the instance.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value |
Specifies which permissions to grant. Defaults to 'Connect' for basic endpoint access.
For endpoints: Connect, Alter, Control, and others. For availability groups: Alter, Control, TakeOwnership, ViewDefinition only.
Use 'CreateAnyDatabase' for AGs to allow automatic seeding of new databases to replicas.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | Connect |
| Accepted Values | Alter,Connect,Control,CreateAnyDatabase,CreateSequence,Delete,Execute,Impersonate,Insert,Receive,References,Select,Send,TakeOwnership,Update,ViewChangeTracking,ViewDefinition |
Accepts login objects from Get-DbaLogin pipeline input. Use this when you've already retrieved specific logins and want to grant them permissions.
Provides an alternative to specifying individual login names with the -Login parameter.
| Alias | |
| Required | False |
| Pipeline | true (ByValue) |
| Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
| Alias | |
| Required | False |
| Pipeline | false |
| Default Value | False |
Shows what would happen if the command were to run. No actions are actually performed.
| Alias | wi |
| Required | False |
| Pipeline | false |
| Default Value |
Prompts you for confirmation before executing any changing operations within the command.
| Alias | cf |
| Required | False |
| Pipeline | false |
| Default Value |