1. Please help support our sponsors by considering their products and services.
    Our sponsors enable us to maintain high-speed Internet connection and fast webservers.
    They support this free information and knowledge exchange forum service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions

What permissions does TDP for SQL need to run?

Discussion in 'TDP/Application Layer Backup' started by droach, Sep 26, 2017.

  1. droach

    droach ADSM.ORG Senior Member

    Joined:
    Jan 7, 2008
    Messages:
    204
    Likes Received:
    4
    Occupation:
    I'm thinking...
    Location:
    Cut and Shoot, Texas
    Our SQL DB's are restricted from folks in the Server Administrators group. To schedule TDP backups we run the TDP scheduler and set it to run under an account that has access to the SQL databases. In addition, we add the SQL account to the server's administrators group. So far, so good. TDP for SQL backups run fine with this configuration.

    Now, our security folks want the SQL account removed from the server's administrators group. If I remove the SQL account from the Administrators group the account becomes essentially a User-level account with SQL access and does not have the permissions necessary to run TDPSQLC.exe. The account can no longer access certain TSM/TDP registry keys, it can't start as a service, and it can't update dsmerror.log and dsmsched.log.

    I tried throwing the SQL account into the Backup Operators group and that didn't work.

    So, my question is...has anyone documented the minimum configuration necessary for running TDP for SQL?
     
  2.  
  3. LED888

    LED888 ADSM.ORG Moderator

    Joined:
    Oct 15, 2002
    Messages:
    813
    Likes Received:
    63
  4. droach

    droach ADSM.ORG Senior Member

    Joined:
    Jan 7, 2008
    Messages:
    204
    Likes Received:
    4
    Occupation:
    I'm thinking...
    Location:
    Cut and Shoot, Texas
    I have not seen that, thanks. Not sure I believe their requirements for running a backup or restore.
    Ignoring the SQL requirements, the way I read that last section is that to run the backup EXE's the account either has to be in the Administrators group, or you can disable UAC, or you can disable the Admin Approval Mode. It does not mention that the account needs to be in the Backup Operators security group. But if the account running the backup is not in Backup Operators, and it is not in the Administrators group, I don't think simply manipulating the UAC and Admin approval modes will allow the EXE's to run.

    I know the BACLIENT EXE's won't run with just those setting mentioned. I'll have to do some more tests to see if the TDP EXE's will.
     

Share This Page