What permissions does TDP for SQL need to run?

droach

ADSM.ORG Senior Member
Joined
Jan 7, 2008
Messages
239
Reaction score
13
Points
0
Location
Cut and Shoot, Texas
PREDATAR Control23

Our SQL DB's are restricted from folks in the Server Administrators group. To schedule TDP backups we run the TDP scheduler and set it to run under an account that has access to the SQL databases. In addition, we add the SQL account to the server's administrators group. So far, so good. TDP for SQL backups run fine with this configuration.

Now, our security folks want the SQL account removed from the server's administrators group. If I remove the SQL account from the Administrators group the account becomes essentially a User-level account with SQL access and does not have the permissions necessary to run TDPSQLC.exe. The account can no longer access certain TSM/TDP registry keys, it can't start as a service, and it can't update dsmerror.log and dsmsched.log.

I tried throwing the SQL account into the Backup Operators group and that didn't work.

So, my question is...has anyone documented the minimum configuration necessary for running TDP for SQL?
 
PREDATAR Control23

I have not seen that, thanks. Not sure I believe their requirements for running a backup or restore.
Ignoring the SQL requirements, the way I read that last section is that to run the backup EXE's the account either has to be in the Administrators group, or you can disable UAC, or you can disable the Admin Approval Mode. It does not mention that the account needs to be in the Backup Operators security group. But if the account running the backup is not in Backup Operators, and it is not in the Administrators group, I don't think simply manipulating the UAC and Admin approval modes will allow the EXE's to run.

I know the BACLIENT EXE's won't run with just those setting mentioned. I'll have to do some more tests to see if the TDP EXE's will.
 
Top