Hi all. This is a follow up to my post from last week. In version 6.3, Kaseya will roll out a new technique to give procedures secure database access. The following technique solves the security problems we closed by removing +++sqlcmd support from the procedure editor. We will designate a directory on the VSA server itself to contain an approved list of SQL commands (in XML files) made available to script writers. Anyone with direct access to the VSA server can add/edit these files. Typically this is the master admin but clearly someone with direct access to the VSA server is trusted. You can put any arbitrary SQL into these files that you like. Each entry in the XML file will contain the raw SQL plus a label. The procedure editor will add a couple new commands to use these SQL commands in scripts. Script authors will select the SQL command by label and never see the raw SQL. This should make it easy to use since you can clearly state what the SQL is supposed to do rather than depend on users figuring out what the SQL does.
This will be available on both our SaaS hosted VSAs and on-premise VSAs. Each tenant in the SaaS environment gets their own directory so there is no chance of tenant A getting access to data from tenant B. Also, to use this on SaaS you have to submit your SQL to Kaseya since we are the only ones with server access. We will review the SQL to guard against malicious code and then post it to the directory for that tenant.
Several people have asked me for an early look at this new feature. We will be hotfixing this out to all test pilot 6.3 systems so you will all get it at the same time (assuming you are in the test pilot program). I would expect this hotfix to go out in the next couple of weeks.