I have several packages deployed to SSIS msdb with protectionlevel=5, which is "Rely on server storage for encryption (ServerStorage). Protects the whole package using SQL Server database roles. This option is supported only when a package is saved to the SQL Server msdb database. It is not supported when a package is saved to the file system from Business Intelligence Development Studio."
http://technet.microsoft.com/en-us/library/ms141747(v=sql.100).aspx
So how does it all work? I am trying to secure our data in sysssispackages.packagedata. i can query the sysssispackages.packagedata and see the ssis package data including the sensitive=1 password data. I am a sysadmin on the box but i am not assigned the roles of db_ssisadmin, db_ssisoperator, and db_ssisltduser as described below. how can i test that others cannot see the data in sysssispackages.packagedata? The packages have the default roles assigned for Reader and Writer.
further found the following
http://technet.microsoft.com/en-us/library/dd440760(v=sql.100).aspx
"the package in the SQL Server msdb database, and set the protection level toRely on server storage and roles for access control. You use the Integration Services Service in SQL Server Management Studio to do this.
Database roles now control read and write access to the package. You need to assign one of the Integration Services fixed database-level roles or assign a user-defined database-level role, to the Reader role of the package. The fixed database-level roles are db_ssisadmin, db_ssisoperator, and db_ssisltduser. In this demonstration, we’ll assign the db_ssisadmin to the package.
If you assign a fixed database-level role to the package, the user account that calls the package from the job step must be a member of that role. If you assign a user-defined role to the package, the user account must be a member of one of the fixed database-level roles and a member of the user-defined role. '"