From 8692b75c9b1f375019652e302eff007238f74170 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:53:41 +0000 Subject: [PATCH 1/4] Initial plan From f3067d39b4a47874ef35828e652fc0a988bd9e74 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 16:56:44 +0000 Subject: [PATCH 2/4] Add SQL Server permissions documentation to README Document the minimal SQL Server permissions required to run the library, covering three scenarios: - Minimal runtime permissions (pre-installed schema with AutoInstallSchema=false) - Service Broker permissions for real-time notifications - Schema installation permissions (AutoInstallSchema=true) Addresses #11 Agent-Logs-Url: https://github.com/IntelliTect/IntelliTect.AspNetCore.SignalR.SqlServer/sessions/e6792205-855a-410a-858c-2f32e3296108 Co-authored-by: ascott18 <5017521+ascott18@users.noreply.github.com> --- README.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/README.md b/README.md index 1d93361..dc987b3 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,54 @@ ALTER DATABASE [DatabaseName] SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE You can also set `AutoEnableServiceBroker = true` when configuring in your `Startup.cs`, but this requires that the application have permissions to do so and has the same caveats that there can be no other active database sessions. +## SQL Server Permissions + +By default, the library will automatically create its required schema and tables on startup (`AutoInstallSchema = true`). If you allow this, the SQL login used by your application will need elevated permissions to perform DDL operations. Alternatively, you can pre-install the schema using the [`install.sql`](./src/IntelliTect.AspNetCore.SignalR.SqlServer/Internal/SqlServer/install.sql) script and then configure `AutoInstallSchema = false` to run with minimal permissions. + +### Minimal Runtime Permissions (Recommended for Production) + +If you pre-install the database schema and set `AutoInstallSchema = false`, the application only needs the following permissions. Replace `SignalR` with your configured schema name and `YourHubName` with your hub's table name. Repeat for each table index from `0` to `TableCount - 1` (e.g. with the default `TableCount = 1`, you would have `Messages_YourHubName_0` and `Messages_YourHubName_0_Id`): + +``` sql +-- Permissions on message tables (repeat for each table index from 0 to TableCount - 1): +GRANT SELECT, INSERT, DELETE ON [SignalR].[Messages_YourHubName_0] TO [YourUser]; +GRANT SELECT, UPDATE ON [SignalR].[Messages_YourHubName_0_Id] TO [YourUser]; +``` + +If Service Broker is enabled and you want to use it for real-time notifications (instead of falling back to polling), additional permissions are required: + +``` sql +-- Required for SqlDependency to subscribe to query notifications: +GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [YourUser]; + +-- Required for SqlDependency to create its temporary Service Broker objects: +GRANT CREATE PROCEDURE TO [YourUser]; +GRANT CREATE QUEUE TO [YourUser]; +GRANT CREATE SERVICE TO [YourUser]; +GRANT REFERENCES ON CONTRACT::[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [YourUser]; + +-- Required for receiving Service Broker error notifications: +GRANT RECEIVE ON QueryNotificationErrorsQueue TO [YourUser]; +``` + +### Schema Installation Permissions + +If using the default `AutoInstallSchema = true`, the login needs permissions to create the schema and tables. The simplest but broadest approach is to grant the `db_ddladmin` and `db_datawriter` database roles. For more restricted access, grant only the specific permissions needed: + +``` sql +GRANT CREATE SCHEMA TO [YourUser]; +GRANT CREATE TABLE TO [YourUser]; +GRANT ALTER ON SCHEMA::[SignalR] TO [YourUser]; +GRANT INSERT ON SCHEMA::[SignalR] TO [YourUser]; +GRANT SELECT ON SCHEMA::[SignalR] TO [YourUser]; +``` + +If also using `AutoEnableServiceBroker = true`, the login needs `ALTER` permission on the database: + +``` sql +GRANT ALTER ON DATABASE::[YourDatabase] TO [YourUser]; +``` + ## Usage 1. Install the `IntelliTect.AspNetCore.SignalR.SqlServer` NuGet package. From 9c342d3b75dcf0b7473316b58e65849c8604ba18 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Apr 2026 17:22:29 +0000 Subject: [PATCH 3/4] Update Service Broker permissions based on Docker testing Verified all documented permissions against SQL Server 2022 in Docker: - Minimal runtime permissions (polling mode): SELECT/INSERT/DELETE on message tables + SELECT/UPDATE on id tables - verified each is individually necessary and collectively sufficient - Service Broker permissions: Updated to recommend db_owner role since SqlDependency needs CONTROL ON SCHEMA::dbo to manage its temporary Service Broker objects (queue, service, stored procedure) - Schema installation permissions: verified correct - AutoEnableServiceBroker permission: verified correct Agent-Logs-Url: https://github.com/IntelliTect/IntelliTect.AspNetCore.SignalR.SqlServer/sessions/e89277da-2d43-4215-a743-5700ccb78ff7 Co-authored-by: ascott18 <5017521+ascott18@users.noreply.github.com> --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index dc987b3..9921490 100644 --- a/README.md +++ b/README.md @@ -46,16 +46,23 @@ GRANT SELECT, INSERT, DELETE ON [SignalR].[Messages_YourHubName_0] TO [YourUser] GRANT SELECT, UPDATE ON [SignalR].[Messages_YourHubName_0_Id] TO [YourUser]; ``` -If Service Broker is enabled and you want to use it for real-time notifications (instead of falling back to polling), additional permissions are required: +If Service Broker is enabled and you want to use it for real-time notifications (instead of falling back to polling), the `SqlDependency` mechanism requires additional permissions to create and manage its temporary Service Broker objects. The simplest approach is to grant the `db_owner` role: + +``` sql +EXEC sp_addrolemember 'db_owner', 'YourUser'; +``` + +If `db_owner` is too broad, the following individual permissions are required at a minimum, though `SqlDependency` may still require `db_owner` in some environments: ``` sql -- Required for SqlDependency to subscribe to query notifications: GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [YourUser]; --- Required for SqlDependency to create its temporary Service Broker objects: +-- Required for SqlDependency to create and manage its temporary Service Broker objects in the dbo schema: GRANT CREATE PROCEDURE TO [YourUser]; GRANT CREATE QUEUE TO [YourUser]; GRANT CREATE SERVICE TO [YourUser]; +GRANT CONTROL ON SCHEMA::dbo TO [YourUser]; GRANT REFERENCES ON CONTRACT::[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [YourUser]; -- Required for receiving Service Broker error notifications: From d4ccec89a1e693ccd654e7f525ca6bd020e84f1f Mon Sep 17 00:00:00 2001 From: Andrew Scott Date: Mon, 27 Apr 2026 16:39:34 -0700 Subject: [PATCH 4/4] move down --- README.md | 110 +++++++++++++++++++++++++++--------------------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 9921490..8c3f399 100644 --- a/README.md +++ b/README.md @@ -32,61 +32,6 @@ ALTER DATABASE [DatabaseName] SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE You can also set `AutoEnableServiceBroker = true` when configuring in your `Startup.cs`, but this requires that the application have permissions to do so and has the same caveats that there can be no other active database sessions. -## SQL Server Permissions - -By default, the library will automatically create its required schema and tables on startup (`AutoInstallSchema = true`). If you allow this, the SQL login used by your application will need elevated permissions to perform DDL operations. Alternatively, you can pre-install the schema using the [`install.sql`](./src/IntelliTect.AspNetCore.SignalR.SqlServer/Internal/SqlServer/install.sql) script and then configure `AutoInstallSchema = false` to run with minimal permissions. - -### Minimal Runtime Permissions (Recommended for Production) - -If you pre-install the database schema and set `AutoInstallSchema = false`, the application only needs the following permissions. Replace `SignalR` with your configured schema name and `YourHubName` with your hub's table name. Repeat for each table index from `0` to `TableCount - 1` (e.g. with the default `TableCount = 1`, you would have `Messages_YourHubName_0` and `Messages_YourHubName_0_Id`): - -``` sql --- Permissions on message tables (repeat for each table index from 0 to TableCount - 1): -GRANT SELECT, INSERT, DELETE ON [SignalR].[Messages_YourHubName_0] TO [YourUser]; -GRANT SELECT, UPDATE ON [SignalR].[Messages_YourHubName_0_Id] TO [YourUser]; -``` - -If Service Broker is enabled and you want to use it for real-time notifications (instead of falling back to polling), the `SqlDependency` mechanism requires additional permissions to create and manage its temporary Service Broker objects. The simplest approach is to grant the `db_owner` role: - -``` sql -EXEC sp_addrolemember 'db_owner', 'YourUser'; -``` - -If `db_owner` is too broad, the following individual permissions are required at a minimum, though `SqlDependency` may still require `db_owner` in some environments: - -``` sql --- Required for SqlDependency to subscribe to query notifications: -GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [YourUser]; - --- Required for SqlDependency to create and manage its temporary Service Broker objects in the dbo schema: -GRANT CREATE PROCEDURE TO [YourUser]; -GRANT CREATE QUEUE TO [YourUser]; -GRANT CREATE SERVICE TO [YourUser]; -GRANT CONTROL ON SCHEMA::dbo TO [YourUser]; -GRANT REFERENCES ON CONTRACT::[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [YourUser]; - --- Required for receiving Service Broker error notifications: -GRANT RECEIVE ON QueryNotificationErrorsQueue TO [YourUser]; -``` - -### Schema Installation Permissions - -If using the default `AutoInstallSchema = true`, the login needs permissions to create the schema and tables. The simplest but broadest approach is to grant the `db_ddladmin` and `db_datawriter` database roles. For more restricted access, grant only the specific permissions needed: - -``` sql -GRANT CREATE SCHEMA TO [YourUser]; -GRANT CREATE TABLE TO [YourUser]; -GRANT ALTER ON SCHEMA::[SignalR] TO [YourUser]; -GRANT INSERT ON SCHEMA::[SignalR] TO [YourUser]; -GRANT SELECT ON SCHEMA::[SignalR] TO [YourUser]; -``` - -If also using `AutoEnableServiceBroker = true`, the login needs `ALTER` permission on the database: - -``` sql -GRANT ALTER ON DATABASE::[YourDatabase] TO [YourUser]; -``` - ## Usage 1. Install the `IntelliTect.AspNetCore.SignalR.SqlServer` NuGet package. @@ -212,6 +157,61 @@ The results of some ad-hoc performance testing yielded that you can expect about Do note that a broadcast message is considered a single message. Any call to `SendAsync` within a hub is a single message. +## SQL Server Permissions + +By default, the library will automatically create its required schema and tables on startup (`AutoInstallSchema = true`). If you allow this, the SQL login used by your application will need elevated permissions to perform DDL operations. Alternatively, you can pre-install the schema using the [`install.sql`](./src/IntelliTect.AspNetCore.SignalR.SqlServer/Internal/SqlServer/install.sql) script and then configure `AutoInstallSchema = false` to run with minimal permissions. + +### Minimal Runtime Permissions (Recommended for Production) + +If you pre-install the database schema and set `AutoInstallSchema = false`, the application only needs the following permissions. Replace `SignalR` with your configured schema name and `YourHubName` with your hub's table name. Repeat for each table index from `0` to `TableCount - 1` (e.g. with the default `TableCount = 1`, you would have `Messages_YourHubName_0` and `Messages_YourHubName_0_Id`): + +``` sql +-- Permissions on message tables (repeat for each table index from 0 to TableCount - 1): +GRANT SELECT, INSERT, DELETE ON [SignalR].[Messages_YourHubName_0] TO [YourUser]; +GRANT SELECT, UPDATE ON [SignalR].[Messages_YourHubName_0_Id] TO [YourUser]; +``` + +If Service Broker is enabled and you want to use it for real-time notifications (instead of falling back to polling), the `SqlDependency` mechanism requires additional permissions to create and manage its temporary Service Broker objects. The simplest approach is to grant the `db_owner` role: + +``` sql +EXEC sp_addrolemember 'db_owner', 'YourUser'; +``` + +If `db_owner` is too broad, the following individual permissions are required at a minimum, though `SqlDependency` may still require `db_owner` in some environments: + +``` sql +-- Required for SqlDependency to subscribe to query notifications: +GRANT SUBSCRIBE QUERY NOTIFICATIONS TO [YourUser]; + +-- Required for SqlDependency to create and manage its temporary Service Broker objects in the dbo schema: +GRANT CREATE PROCEDURE TO [YourUser]; +GRANT CREATE QUEUE TO [YourUser]; +GRANT CREATE SERVICE TO [YourUser]; +GRANT CONTROL ON SCHEMA::dbo TO [YourUser]; +GRANT REFERENCES ON CONTRACT::[http://schemas.microsoft.com/SQL/Notifications/PostQueryNotification] TO [YourUser]; + +-- Required for receiving Service Broker error notifications: +GRANT RECEIVE ON QueryNotificationErrorsQueue TO [YourUser]; +``` + +### Schema Installation Permissions + +If using the default `AutoInstallSchema = true`, the login needs permissions to create the schema and tables. The simplest but broadest approach is to grant the `db_ddladmin` and `db_datawriter` database roles. For more restricted access, grant only the specific permissions needed: + +``` sql +GRANT CREATE SCHEMA TO [YourUser]; +GRANT CREATE TABLE TO [YourUser]; +GRANT ALTER ON SCHEMA::[SignalR] TO [YourUser]; +GRANT INSERT ON SCHEMA::[SignalR] TO [YourUser]; +GRANT SELECT ON SCHEMA::[SignalR] TO [YourUser]; +``` + +If also using `AutoEnableServiceBroker = true`, the login needs `ALTER` permission on the database: + +``` sql +GRANT ALTER ON DATABASE::[YourDatabase] TO [YourUser]; +``` + ## License [Apache 2.0](./LICENSE.txt).