SQLBackupRestore.com - Setting up rights

This document explains the rights required by users and the SQL Backup Agent service. Examples in this document refer to individual user accounts, but it is more convenient in large environment to manage permissions by user groups.

Overview

SQL Backup services are carried out by the SQL Backup Agent service. This is a Windows service that is installed when you install the SQL Backup server components.

diagram1

Users or jobs run SQL Backup commands using extended stored procedures. A list of SQL Backup extended stored procedures can be found here.

diagram2

SQL Backup then communicates with SQL Server using the SQL Server Virtual Device Interface (VDI). See this document for details of the interaction between SQL Backup and SQL Server.

diagram3

During backup and restore processes, all data transfers are handled by the SQL Backup Agent service.

diagram4

Permissions and rights

- Users

rights_users

Users need rights to execute the relevant extended stored procedures. E.g.

GRANT EXECUTE ON sqlbackup TO user1

They also need to have rights to backup or restore the databases that they want to work with. E.g.

GRANT BACKUP DATABASE TO user1

Note that users need not have the SQL Server sysadmin fixed server role.

- SQL Backup Agent service

rights_service

All rights related to the SQL Backup Agent service comes from the user account used to start up the service. This user account needs to have the 'Log On As A Service' right in order to be able to start the service.

service_user

The service startup user needs to have the SQL Server sysadmin fixed server role. This is a requirement of the SQL Server VDI library.

sql_admin

The service startup user also needs rights to the relevant network shares if backup files will be stored to/retrived from network shares.

The service startup user also needs to have query rights to the SQL Server service details. If you attempt to perform a backup but it fails with error 1000, with the following error message:

Failed to create virtual device. Check that the SQL Server instance you are trying to connect to is running. Error code: (-2139684857: Failed to recognize the SQL Server instance name.)

you should then check if the SQL Backup Agent service startup user has been denied access rights to the related SQL Server service. You can do this by using the sc command line utility. The sc utility can also be used to grant rights. You can download this utility (DACLReader) to check the current access control entries (ACEs) for a specific SQL Server service. See this document for details.

SQL Backup GUI and command line

The SQL Backup 5 GUI was designed such that the user using it needs to be a SQL Server sysadmin. The SQL Backup 4 GUI does not have this requirement, but does require the user to have rights to the extended stored procedures.

If you use the command line interface (sqlbackupc.exe) to perform backups and restores, the user running the application needs to have the SQL Server sysadmin fixed server role. This is because the command line interface communicates directly with the VDI, and does not use the SQL Backup Agent service.

Document history

12/3/2008

Initial release.