SQL Server 2008 - Policy Based Management - usage of ##MS_PolicyEventProcessingLogin## under Security, Logins in Management Studio
While I was scrolling through the logins for a permission task, I found the login name such as ##MS_PolicyEventProcessingLogin## & ##MS_PolicySigningCertificate##, I was bit confused and perplexed to see what it is for?
As usual searching in Books Online (2008) and on web doesn't get much information on this login properties, also this is disabled by default and I have directed question to SQL development team for Policy based Management team asking more details such as where this is used and why it is disabled and any intention from PBM team to include any documentation?
Dan Jones aka the brain behind PBM feature in SQL 2008, has provided more explanation in this regard, please see below:
Short answer: This login provides an execution context for server level DDL triggers and the activation procedure that consumes the event notifications.
Long answer:
Ultimately our policy evaluation engine context must elevate to SA in a safe and secure way. Why does the context need to be SA? We must ensure the evaluation engine can access all of the metadata on the system. Unfortunately the closest permission is, effectively, SA. I suspect in a future release this will change. No one on the team liked this compromise,
but it was that, a compromise. The goal then is to elevate to SA.
During the next blog post on PBM I will explain more on ##MS_PolicySigningCertificate## login, please keep watching this space.