Minimum permission to backup a MS-SQL database using NetBackup
Any bad-developed application is avoiding the permission issues using the most intrusive role.
In a security strategy, the main goal is to assign the minimum necessary roles for each login.
The RDBMS MS-SQL Server allows to maintaing several specific databases in one specific instance, with a correct permission granularity.
To maintain this granularity, SQL Server 2005 splited the system admin role in several less intrusive server roles and db roles.
Now, a backup operator is able to backup a database without accessing to the data of this database. The db_backupoperator database role is only necessary. The list of the databases is available through the public permission in the master..sysdatabases system table.
In the document "Veritas NetBackup™ for Microsoft SQL Server Administrator’s Guide", the permission issue is evasive :
"When the NetBackup scheduler is used, backup operations are launched from a daemon process called the NetBackup Client Service. You must ensure that the Client Service has SQL Server privileges to perform backup and restore operations. If you are using integrated security, then you must ensure that the NetBackup Client Service specifies a Windows account that has been granted SQL Server administrative privileges."
In the technote http://www.symantec.com/docs/TECH43512, you're specifying
"Any logon that requires permissions to perform backup or restore operations should be provided membership in the following SQL Server roles:
Server Role : sysadmin
DB role : db_backupoperator, dbo_owner
Permissions required for performing restore -
Server role : sysadmin, dbcreator
DB role : db_owner"
My question : do you really understand something about the MS-SQL permission ?
Why do you need the sysadmin permission ?
If it's really necessary, why do you need the dbcreator (included in the sysadmin) ? Why the db_backupoperator and the db_owner ?
In fact, only the db role db_backupoperator is necessary, in a MS-SQL point of view.
We experimented some hard failure on production applying the sysadmin permission in the Netbackup Logins (client VaultAdmin) : a modification in the sysusers tables is done, replacing the db_owner database role with and changing the db owner to an non-existent dbo user (technically, the dbo'sysusers.sid was replace on each database from 0x01 to the vaultadmin'sid.)
Did you plan to implement a correct security in a future version of your product ? Did you already provide a patch for this issue ?
Thanks in advance for your answer.
Fadace