1. Community Tip: Please Give Thanks to Those Sharing Their Knowledge.
    If you receive helpful answer on this forum, please show thanks to the poster by clicking "LIKE" link for the answer that you found helpful.
  2. Community Tip: Forum Rules (PLEASE CLICK HERE TO READ BEFORE POSTING)
    Click the link above to access ADSM.ORG Acceptable Use Policy and forum rules which should be observed when using this website. Violators may be banned from this website. This notice will disappear after you have made at least 3 posts.

What permissions does TDP for SQL need to run?

Discussion in 'TDP/Application Layer Backup' started by droach, Sep 26, 2017.

  1. droach

    droach ADSM.ORG Senior Member

    Joined:
    Jan 7, 2008
    Messages:
    198
    Likes Received:
    3
    Occupation:
    I'm thinking...
    Location:
    Cut and Shoot, Texas
    Our SQL DB's are restricted from folks in the Server Administrators group. To schedule TDP backups we run the TDP scheduler and set it to run under an account that has access to the SQL databases. In addition, we add the SQL account to the server's administrators group. So far, so good. TDP for SQL backups run fine with this configuration.

    Now, our security folks want the SQL account removed from the server's administrators group. If I remove the SQL account from the Administrators group the account becomes essentially a User-level account with SQL access and does not have the permissions necessary to run TDPSQLC.exe. The account can no longer access certain TSM/TDP registry keys, it can't start as a service, and it can't update dsmerror.log and dsmsched.log.

    I tried throwing the SQL account into the Backup Operators group and that didn't work.

    So, my question is...has anyone documented the minimum configuration necessary for running TDP for SQL?
     
  2.  
  3. LED888

    LED888 ADSM.ORG Moderator

    Joined:
    Oct 15, 2002
    Messages:
    809
    Likes Received:
    62
  4. droach

    droach ADSM.ORG Senior Member

    Joined:
    Jan 7, 2008
    Messages:
    198
    Likes Received:
    3
    Occupation:
    I'm thinking...
    Location:
    Cut and Shoot, Texas
    I have not seen that, thanks. Not sure I believe their requirements for running a backup or restore.
    Ignoring the SQL requirements, the way I read that last section is that to run the backup EXE's the account either has to be in the Administrators group, or you can disable UAC, or you can disable the Admin Approval Mode. It does not mention that the account needs to be in the Backup Operators security group. But if the account running the backup is not in Backup Operators, and it is not in the Administrators group, I don't think simply manipulating the UAC and Admin approval modes will allow the EXE's to run.

    I know the BACLIENT EXE's won't run with just those setting mentioned. I'll have to do some more tests to see if the TDP EXE's will.
     

Share This Page