Why do some SQL user accounts have the UNSAFE ASSEMBLY permission?

Article ID: CS0027 Why do some SQL user accounts have the UNSAFE ASSEMBLY permission?

Question

Why do some SQL user accounts have the UNSAFE ASSEMBLY permission?

Answer

When you install the CommServe database, the software creates specific SQL accounts to import Dynamic-Link Library (DLL) files to the CommServe database. This applies for any CLR DLL file in the SQL Server. Multiple accounts are needed because the accounts are created using asymmetric keys and each DLL has a different key. The software creates the following SQL accounts:

  • CVManagedLoggerLogin
  • CVDBCLRLogin
  • CVDM2DBCLRLogin
  • CVDM2XMLMsgLogin

Because these accounts are used internally by the software for code signing, you cannot use them to log on to the CommCell, so these accounts do not have passwords.

The CVManagedLoggerLogin and CVDBCLRLogin accounts have the UNSAFE ASSEMBLY permission. This permission is required because Commvault uses extended stored procedures to run some methods within the context of SQL for login and license calculation purposes. Some DLLs use the WIN32 API to retrieve system information (date/time and time zone) and to write to local files (logging). The WIN32 API requires the UNSAFE ASSEMBLY permission. The assemblies have been configured and installed in accordance with Microsoft guidelines.