ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TDP for SQL: does the id absolutely require SA priv?

2005-08-29 10:07:27
Subject: Re: TDP for SQL: does the id absolutely require SA priv?
From: Steve Schaub <Steve_Schaub AT BCBST DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Mon, 29 Aug 2005 10:07:05 -0400 
Thanks for the definitive answer, Del.
-steve

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Del
Hoobler
Sent: Monday, August 29, 2005 9:45 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Re: [ADSM-L] TDP for SQL: does the id absolutely require SA priv?

Steve,

Data Protection for SQL requires SYSADMIN role for the ID that runs the
backups and restores. This is because Data Protection for SQL uses the
Microsoft recommended SQL Server Virtual Device Interface (VDI) API for
performing backup and restore of the SQL Server databases.

In order to utilize the SQL Server "VDI" API, Microsoft SQL Server requires
the SYSADMIN role because the VDI API actually shares storage with the SQL
Server to increase performance. It also requires enough system permissions
to read and write to the local registry.

The following is directly from the Microsoft VDI SDK documentation:

"Security
 The system objects used to implement the virtual device set are  secured
with an access control list. This list permits access to  all processes
running under the account used by the primary client.
 Access is also permitted to processes running under the account used  by
Microsoft(r) SQL Server?, as recorded in the system services configuration.

 The server connection for SQL Server that is used to issue the  BACKUP or
RESTORE commands must be logged in with the sysadmin fixed  server role. For
more information, see Microsoft SQL Server Books Online."

Thanks,

Del

"ADSM: Dist Stor Manager" <ADSM-L AT VM.MARIST DOT EDU> wrote on 08/25/2005
08:26:02 AM:

> TSM serv = 5.2.2.0
> TSM TDP = 5.2.1.0
>
> I'll spare you the political details, but our SQL Server admin is
claiming
> that NIST standard required him to remove SQL access from the SYSTEM
> account.  We created a specific AD id and have been testing, but he
wants to
> not grant this id SA priv, for the same reason.
>
> What is the minimum amount of priv an id needs to run TDP backups?
> The
TDP
> doc "seems" to assume SA priv, but is it absolutely required?  The
> admin would be running any restores from the gui under his own id.
Please see the following link for the BlueCross BlueShield of Tennessee E-mail
disclaimer:  http://www.bcbst.com/email_disclaimer.shtm
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Working set size for no-query restore, Thomas Denier
Next by Date:  Log Containing Tape Drive Info, Debbie Bassler
Previous by Thread:  Re: TDP for SQL: does the id absolutely require SA priv?, Leonard, Christopher A
Next by Thread:  Unexpected removal of TSM Client, Larry Peifer
Indexes:  [Date] [Thread] [Top] [All Lists]