SQL Backup - 7.2
Security model - SQL Backup
This topic explains the permissions required to use SQL Backup.
Using SQL Backup from the graphical user interface
The user connecting to the SQL Backup GUI requires:
- membership of the SQL Server sysadmin fixed server role
- execute permissions on the SQL Backup extended stored procedure, sqlbackup
- for the compression analyzer, execute permissions on sqbtest, sqbtestcancel and sqbteststatus extended stored procedures
The SQL Backup Agent service is a Windows service which is used to perform the SQL Backup backup and restore operations through the graphical user interface or the extended stored procedure. The user account used to log on to the SQL Backup Agent service (the startup account) and connect to the SQL Server requires:
- 'log on as a service' rights in order to start the service
- membership of the SQL Server sysadmin fixed server role
- access to any network locations that will be backed up or copied to, or restored from
- access to the following folders:
- the Red Gate licensing registry folder HKEY_LOCAL_MACHINE\SOFTWARE\Red Gate\Licensing\SQL Backup or HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Red Gate\Licensing\SQL Backup (for 64-bit machines)
- the Red Gate licenses folder C:\ProgramData\Red Gate\Licenses (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\Licenses (for Windows Server 2003 and Windows XP)
- the SQL Backup local data store C:\ProgramData\Red Gate\SQL Backup\Data (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\SQL Backup\Data (for Windows Server 2003 and Windows XP)
- the SQL Backup logs folder C:\ProgramData\Red Gate\SQL Backup\Log (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\SQL Backup\Log (for Windows Server 2003 and Windows XP)
You specify the startup account for the SQL Backup Agent service (the account the service will run as) when you install the server components on a SQL Server instance. By default, the SQL Backup Agent service connects to the SQL Server instance using the Windows authentication of the startup account. If required, you can specify that the SQL Backup Agent service should use SQL Server authentication to connect to the SQL Server instance instead. The SQL Server authenticated account must also be a member of the SQL Server sysadmin fixed server role.
You can change the authentication mode the startup account uses to connect to the SQL Server instance at a later date by using the sqbsetlogin extended stored procedure:
- Add the sqbsetlogin stored procedure from the SQL Backup extended stored procedure dynamic link library (xp_sqlbackup.dll).
- Provide the user name and password to specify SQL Server authentication.
- You are recommended to remove the sqbsetlogin stored procedure when you have finished using it.
EXECUTE master..sp_addextendedproc sqbsetlogin, 'xp_sqlbackup.dll'
EXECUTE master..sqbsetlogin 'sa', 'sqbpassword'
EXECUTE master..sp_dropextendedproc sqbsetlogin
To revert to Windows authentication, call sqbsetlogin with blank values:
EXECUTE master..sqbsetlogin '', ''
If you encounter errors related to permissions and access rights, ensure that the startup account for the SQL Backup Agent service application has been granted the necessary permissions.
Using SQL Backup from the extended stored procedure
The user running the extended stored procedure requires:
- permission to back up, restore and drop databases
- to back up databases, the user must be a member of the db_backupoperator fixed database role, or you can use the GRANT BACKUP DATABASE command to grant the permission
- to restore or drop databases, the user must be a member of the db_owner fixed database role or the dbcreator fixed server role, or you can use the GRANT CREATE DATABASE command to grant the permission
- execute permissions on the SQL Backup extended stored procedure, sqlbackup
- for the compression analyzer, execute permissions on sqbtest, sqbtestcancel and sqbteststatus extended stored procedures
The SQL Backup Agent service is used to perform backup and restore operations through the graphical user interface or the extended stored procedure. The user account used to log on to the SQL Backup Agent service (the startup account) and connect to the SQL Server requires:
- 'log on as a service' rights in order to start the service
- membership of the SQL Server sysadmin fixed server role
- access to any network locations that will be backed up or copied to, or restored from
- access to the following folders:
- the Red Gate licensing registry folder HKEY_LOCAL_MACHINE\SOFTWARE\Red Gate\Licensing\SQL Backup or HKEY_LOCAL_MACHINE\SOFTWARE\\WOW6432NodeRed Gate\Licensing\SQL Backup (for 64-bit machines)
- the Red Gate licenses folder C:\ProgramData\Red Gate\Licenses (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\Licenses (for Windows Server 2003 and Windows XP)
- the SQL Backup local data store C:\ProgramData\Red Gate\SQL Backup\Data (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\SQL Backup\Data (for Windows Server 2003 and Windows XP)
- the SQL Backup logs folder C:\ProgramData\Red Gate\SQL Backup\Log (for Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7) or C:\Documents and settings\All users\Application Data\Red Gate\SQL Backup\Log (for Windows Server 2003 and Windows XP)
You specify the startup account for the SQL Backup Agent service (the account the service will run as) when you install the server components on a SQL Server instance. By default, the SQL Backup Agent service connects to the SQL Server instance using the Windows authentication of the startup account. If required, you can specify that the SQL Backup Agent service should use SQL Server authentication to connect to the SQL Server instance instead. The SQL Server authenticated account must also be a member of the SQL Server sysadmin fixed server role.
You can change the authentication mode the startup account uses to connect to the SQL Server instance at a later date by using the sqbsetlogin extended stored procedure:
- Add the sqbsetlogin stored procedure from the SQL Backup extended stored procedure dynamic link library (xp_sqlbackup.dll).
- Provide the user name and password to specify SQL Server authentication.
- You are recommended to remove the sqbsetlogin stored procedure when you have finished using it.
EXECUTE master..sp_addextendedproc sqbsetlogin, 'xp_sqlbackup.dll'
EXECUTE master..sqbsetlogin 'sa', 'sqbpassword'
EXECUTE master..sp_dropextendedproc sqbsetlogin
To revert to Windows authentication, call sqbsetlogin with blank values:
EXECUTE master..sqbsetlogin '', ''
If you encounter errors related to permissions and access rights, ensure that the startup account for the SQL Backup Agent service application has been granted the necessary permissions.
Using SQL Backup from the command line
The SQL Backup command line program communicates with SQL Server directly; it does not use the SQL Backup Agent service application. To run SQLBackupC.exe, the user must have the SQL Server sysadmin fixed role.
Using a different security model
You may want to use a different security model, for example if you want to back up locally but copy the backup to a locked down network share. The following procedure assumes that you are working in a single domain.
- Create domain account with minimal permissions.
Add the domain account to a security group on the Windows server on which the SQL Server is installed; the security group must have sufficient permissions to run as a service.
- Create a SQL Server authenticated account that has the ability to back up and restore databases.
To do this, add the account to the sysadmin or db_backupoperator fixed role, or if you are using SQL Server 2005, 2008 or 2012, you can use the GRANT BACKUP command.
- When you install the SQL Backup server components on the SQL Server:
- For the SQL Backup Agent Service credentials, select This account and enter the domain account you created in step 1.
- For the SQL Server credentials, select SQL Server authentication, and specify the credentials for the SQL Server authenticated account you created.
- Create the folder on the local server in which you want to create the backups, and a folder on a network share to which you want to copy the backup files.
- Confirm that the permissions on both folders are set such that the domain user you created in step 1 can access and write to them.
To check that all the accounts have the appropriate permission, use the graphical user interface to create a backup job that backs up to a local folder and copies the backup to a network share.
You could also run the following query to ensure that the domain account has sufficient permissions on the network share:
EXECUTE master..sqbutility 999, 'RWE', '\\testsrv\backup'
If this is successful and the SQL Backup Agent service has read (R), write (W), and execute (E) permissions, the query will return:
<SQBUTILITYRESULT>:1:
If there is a problem, the query will return a value of 0, followed by a message, for example:
<SQBUTILITYRESULT>:0:Folder does not exist : \\testsrv\backup
If the SQL Server and the network share server do not participate in the same Windows domain, you can use matching Windows local user names and passwords on each server to perform the same task. This practice is commonly known as 'matching accounts'.
See also |
Was this article helpful?
Installing or upgrading SQL BackupSecurity model
Activating SQL Backup
Registering SQL Servers with SQL BackupExploring the graphical user interfaceBacking up and restoringTools and utilitiesSettings and optionsScripting SQL BackupWorking with SQL BackupError code reference
Acknowledgements
SQL Backup
- Backups stop working when the SQL account passwords are changed
- Backups and restores taking longer each time they run
- Improving performance by leveraging multi-processor hardware
- Checking the status of a backup or restore
- SQL Backup Agent doesn't start on named instance
- No backup files are erased when the verify option is also used
- Log shipping initialisation failing with error 3176
- Installing SQL Backup unattended
- Issues faced when upgrading an MSCS cluster server
- Cannot schedule log shipping on case-sensitive servers
- Activation fails because response does not match registration properties
- SQL error -1 on backup with 64-bit
- Could not find procedure 'master...sqbutility'
- 'Does not exist' error manually creating a generic service resource
- Backing up log shipping standby databases
- Stopping a backup or restore whilst in progress
- Backing up full-text catalogs using SQL Backup
- Cannot resolve collation conflict
- Microsoft cluster installation (version 4)
- Informing the SQL Agent of job failures
- Database log files may continue to grow even though transaction logs are backed up
- Cannot load xp_sqlbackup.dll
- Minimum Windows Rights Required for SQL Backup Agent
- Bringing a log shipping standby database online
- Console does not support editing the command you selected
- Malformed database disk image error
- Cannot use a local account to run SQL Backup Agent on cluster
- Preparing SQL Servers for remote installation
- SQL error 18210 and VDI error 1010
- Log shipping jobs not deleting old .sqb files
- Scheduled backups may not include new databases
- VDI error 1010 due to an abort request
- Cannot save or see backup templates
- Not all databases appear in the log shipping wizard
- No mapping between account names and security IDs was done
- SQL error 3101 (database is in use) during log shipping
- Insufficient quota to complete the requested service
- Configuring SQL Server procedure memory
- Backing up and restoring on SQL Server Express Edition
- Cannot run two database backups at the same time
- Restoring database backups across a local network
- In some situations the last compressed data block fails to be written to disk
- Configuring permissions for the SQL Backup Agent service
- Restoring backups from one server to a second server using the user interface
- Using SQL Backup tags to automate backup file naming
- VDI 1010 Error
- SQL Backup 5 cannot connect to servers running SQL Backup 4.0
- Files are created when NOWRITE or NOCOMPRESSWRITE is used in conjunction with multiple threads
- Cannot backup a database when full-text catalogs are not online
- Moving a full-text catalog on RESTORE
- Preventing backups over the network from timing out
- Deleting backup history manually
- SQL Backup installation from SQL Toolbelt installer only installs the console
- Console taking a long time to start up
- Reporting across multiple servers, login fails for user NT AUTHORITY\ANONYMOUS LOGON
- SQL Backup Agent cannot start due to account lookup error
- IO Error on backup or restore restart-checkpoint file
- Unable to edit SQL Backup Scheduled Jobs via the Jobs Tab in the SQL Backup GUI (version 5)
- VDI error 1000 caused by improperly installed VDI interface
- VDI Error 1000 caused by account lookup failure
- VDI error 1000 caused by insufficient permissions
- Error 193: %1 is not a valid Win32 application.
- Installing SQL Backup on a cluster
- Restoring the SQL Server MASTER database
- VDI Error 1010: Failed to get the configuration from the server because the timeout interval has elapsed
- Changing the default data location used by SQL Backup
- Index was outside the bounds of the array error during registration
- Repairing the SQL Backup server-side data store
- Troubleshooting slow backup and restore tasks
- Completed backup jobs showing "in progress" status (version 5)
- Restore wizard: files incorrectly labeled 'Missing' when browsing for a backup file to restore.
- When creating a backup job using the wizards some of the user databases may not be listed
- How to restore a filegroup
- System error 1453 while backing up (Insufficient quota to complete the requested service)
- SQL Backup VDI 1030: Failed to create VirtualServiceSet component
- Backups fail on named instances on custom ports
- SQL error 3101 (database is in use) during full database restore
- Error acquiring mutex occurring during use
- Transaction log continually growing on disaster recovery database
- Reseeding a disaster recovery database
- SMTP mail options not being saved
- SQL Backup Activation NullReferenceException Error
- Scheduling SQL Backup restore jobs
- SQL Backup Error 880: permission denied in database
- Deleting remote backup files after a specified time period (version 5)
- SQL Backup Unable to Login to Perform Backup or Restore
- Restore operation errors with exitcode 680
- "Failed to initialize local data store" error
- Trouble browsing network shares when backing up or restoring
- System error 32 (The process cannot access the file because it is being used by another process)
- Log backup failing because there is no current database backup
- Error locating server or instance of SQL Server
- How to set up log shipping between machines on different domains
- SQL Backup and CPU affinity
- SQL Backup mirrored backups
- Error trying to run backup job
- "Access to the database file is not allowed" error
- The server principal NT AUTHORITY\SYSTEM is not able to access the database
- Browsing while using SQL Server authentication is disabled on the selected server
- Cannot generate SSPI context message
- Log ship to multiple servers
- File browser does not work for remote servers
- Configuring Log Shipping to two Target Databases
- Previous backups not deleted according to ERASEFILES setting
- SQL Backup Reporting fails after upgrading to Version 6 from Version 5 for Multiple
- VDI error 1010 error on log backup when no backup is available
- SQL Backup failed with exit code: 1010 SQL error code: 3101 [SQLSTATE 42000] (Error 50000). The step failed.
- Log backup for a database failing to get copied to the log shipping share
- Mirrorfile backup jobs producing corrupt files
- Activity monitor showing sqlbackup status as wait type MSQL_XP
- Backup and restore processes using high percentage of CPU resources
- Warning 485: File does not exist encountered during a restore (but the process completes successfully)
- Log Shipping error 130 when moving restored file
- SQL Backup "Warning 110" generated
- Attempting to restore data into a SQL Express database that exceeds limit
- SQL error 3241 when restoring database
- A nonrecoverable I/O error encountered on Backup or restore operation
- SQL error 15404
- General log-in problem: Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
- Warning: System error 1450 when Backing up
- Problems with "Auto-Close" option set when backing up
- Warning: System error 64 (The specified network name is no longer available) on backing up across a network
- SQL error 4208 encountered on backing up
- Warning 170: "Log files are not in sequence" - on log shipping (restore) operation
- Warning: System error 121 (The semaphore timeout period has expired)
- Changing your participation in the quality improvement program
- Installing SQL Backup server components unattended
- Changing your participation in the quality improvement program
- Verifying backups of the master database
- Log files
all SQL products
- Compatibility of Red Gate tools in 64-bit environments
- Application has encountered an error and needs to close
- Error message after installing SQL Toolbelt - The description for Event ID ( 1 ) in Source ( nview_info ) cannot be found.
- Changing the temporary directory used by the installer
- Toolbelt Installer "hanging" while "scanning volumes"
- Login failing with "trusted SQL Server connection" error when using RunAs
all products
- Some Red Gate products identified as containing a trojan by Anti-Virus software
- Activation may fail with Unknown Error -1
- Product uses web help although a CHM file is available locally
- Argument exception resulting from missing environment variable
- Check for updates may fail when used through proxies
- 'Unidentified Publisher' error when repairing or uninstalling
- Licensing activates product as standard edition
- Moving Red Gate software products to another machine
- Red Gate tools log locations
- The application UI opening slowly when there is no internet access
SQL Backup
- Getting help offline
- Using SQL Backup to back up to a network share
- Manually installing SQL Backup server components on clusters (Windows Server 2003)
- Manually installing SQL Backup server components on clusters (Windows Server 2008)
- Using SQL Backup log shipping to maintain a standby server
- SQL Backup release notes - version 6.xx
- SQL Backup release notes - version 7.xx
- Working with the new features in SQL Backup 6
- Using flexible licensing with SQL Backup Pro and SQL HyperBac
- Using SQL Backup Pro and SQL HyperBac together on the same server
all SQL products
all products
- Red Gate product acknowledgements
- Activating your products
- Activating your products
- Red Gate bundle history
- Check for updates
- Troubleshooting Check for Updates errors
- Current versions
- Deactivating your products
- Installing Red Gate products from the .msi file
- Requesting additional activations
- Serial numbers for bundles
- Reactivating using a different serial number
- Extending your trial
- Finding your serial numbers
- Moving a serial number from one computer to another
- No response received for manual activation
- Licensing and activation resources
- Licensing and activation resources
- Troubleshooting licensing and activation errors
- Licensing and activation FAQs
- Red Gate tools log file locations
- Download old versions of products
- Download product prerequisites & utilities
- Support & upgrades
- Upgrading your software
- Upgrading FAQs
