Re: TDP for SQL: does the id absolutely require SA priv?
2005-08-29 09:45:38
Steve,
Data Protection for SQL requires SYSADMIN role for the ID that
runs the backups and restores. This is because Data Protection for SQL
uses the Microsoft recommended SQL Server Virtual Device Interface (VDI)
API
for performing backup and restore of the SQL Server databases.
In order to utilize the SQL Server "VDI" API, Microsoft SQL Server
requires
the SYSADMIN role because the VDI API actually shares storage with the
SQL Server to increase performance. It also requires enough system
permissions
to read and write to the local registry.
The following is directly from the Microsoft VDI SDK documentation:
"Security
The system objects used to implement the virtual device set are
secured with an access control list. This list permits access to
all processes running under the account used by the primary client.
Access is also permitted to processes running under the account used
by Microsoft® SQL Server?, as recorded in the system services
configuration.
The server connection for SQL Server that is used to issue the
BACKUP or RESTORE commands must be logged in with the sysadmin fixed
server role. For more information, see Microsoft SQL Server Books
Online."
Thanks,
Del
"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 08/25/2005
08:26:02 AM:
> TSM serv = 5.2.2.0
> TSM TDP = 5.2.1.0
>
> I'll spare you the political details, but our SQL Server admin is
claiming
> that NIST standard required him to remove SQL access from the SYSTEM
> account. We created a specific AD id and have been testing, but he
wants to
> not grant this id SA priv, for the same reason.
>
> What is the minimum amount of priv an id needs to run TDP backups? The
TDP
> doc "seems" to assume SA priv, but is it absolutely required? The admin
> would be running any restores from the gui under his own id.
|
|
|