cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Minimum Server Rights for a backup user?

Former Member

on ‎09-16-2009 11:59 AM

0 Kudos

As topic, which are the minimum requirements under Server Rights for a DBM Operator that will be used for doing backups and recovery?

Scenario 2 on this link looks helpful, http://maxdb.sap.com/doc/7_7/44/eb1670b6f0108ee10000000a11466f/content.htm, but SERVERRIGHTS=Backup,Recovery,ParamCheckWrite,Scheduling seems to be insufficient.

Please advice.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

lbreddemann
Active Contributor
‎09-16-2009 1:41 PM
0 Kudos

>SERVERRIGHTS=Backup,Recovery,ParamCheckWrite,Scheduling seems to be insufficient.

How so ?

dbmcli -d db770 -u control,control
dbmcli on db770>user_create backdba,backdba
OK

---
dbmcli on db770>user_put backdba serverrights=+BACKUP,+RECOVERY
OK

---
dbmcli on db770>user_logon backdba,backdba
OK

---
dbmcli on db770>medium_getall
OK
db770full       C:\sapdb\backup\db770full       FILE    DATA    0       8       YES     NO          20080128154830
20080128154830          NONE    0
db770log        C:\sapdb\backup\db770log        FILE    AUTO    0       8       NO      NO          20080128154846
20080128154846          NONE    0
db770log_ADSM   \\.\pipe\DB770_log      PIPE    LOG     0       8       NO      NO              20080619183107  20080619
183107          TSM     0


---
dbmcli on db770>db_connect
OK

---
dbmcli on db770>backup_start db770full data
OK
Returncode              0
Date                    20090916
Time                    00143911
Server                  *********************************
Database                DB770
Kernel Version          Kernel    7.7.06   Build 009-123-202-944
Pages Transferred       6560
Pages Left              0
Volumes                 1
Medianame               db770full
Location                C:\sapdb\backup\db770full
Errortext
Label                   DAT_000000027
Is Consistent           true
First LOG Page          24668
Last LOG Page
DB Stamp 1 Date         20090916
DB Stamp 1 Time         00143910
DB Stamp 2 Date
DB Stamp 2 Time
Page Count              6540
Devices Used            1
Database ID             *********************************:DB770_20090818_152213
Max Used Data Page      0
Converter Page Count    19

---
dbmcli on db770>

Works for me...

regards,

Lars

Show replies
Show replies
Former Member
‎09-16-2009 1:44 PM
0 Kudos

Hi Lars,

I´ve created the user and added the Server Rights through Database Manager, would that make any difference in which rights I would give the user?

lbreddemann
Active Contributor
‎09-16-2009 2:28 PM
0 Kudos

I´ve created the user and added the Server Rights through Database Manager, would that make any difference in which rights I would give the user?

Nope.

Any errors you get?

Former Member
‎09-18-2009 9:45 AM
0 Kudos

Yes, I get this error:

-24937,ERR_MISSRIGHT: no server rights for this command

Backup works fine using control-account which has full access.

lbreddemann
Active Contributor
‎09-18-2009 9:47 AM
0 Kudos

Would you mind to provide the full set of commands you used?

Just like I did it would be fine.

Former Member
‎09-18-2009 10:43 AM
0 Kudos

Lars, thanks for quick replies. I really appreciate it.

Since we are running on Windows I´ve posted some screenshots:

Server logs

Server Rights 1

Server Rights 2

lbreddemann
Active Contributor
‎09-18-2009 11:04 AM
0 Kudos

Now finally we get closer to your issue.

You don't have problems taking backups with the reduced serverrights I demonstrated.

What you do have are problems with using DBMGUI with the reduced serverrights.

This is something completely different.

The GUI tools use a lot of features that aren't exactly necessary just to run a backup (as I showed it).

Therfore you've to provide much more permissions to make it work via DBMGUI or BACKUP Wizard:

dbmcli on db770>user_getrights backdba serverrights
OK
DBInfoRead              +       Request status data
SystemCmd               -       Execute operating system commands
ExecLoad                -       Execute the LOAD program
UserMgm                 -       User management
DBFileRead              -       Database file access (read only)
Backup                  +       Saving backups
InstallMgm              +       Installation management
LoadSysTab              +       Load the system tables
ParamCheckWrite         +       Parameter access (checked write)
ParamFull               +       Parameter access (read and write)
ParamRead               +       Parameter access (read only)
DBStart                 +       Start database instance
DBStop                  -       Stop database instance
Recovery                +       Restoring backups
AccessSQL               +       Access to SQL session
AccessUtility           +       Access to utility session
SharedMemoryMgm         -       Shared memory management
SchedulerMgm            +       Scheduler management
Scheduling              -       Scheduler use
EvtDispMgm              +       Event Dispatcher management
EvtDisp                 -       Event Dispatcher use

However, I don't see the point here.

What's wrong for a database backup admin to run the dbmcli command?

He shouldn't do anything else, right?

Therfore there's no need to give this dba the full blown DBMGUI access to do everything.

regards,

Lars

Former Member
‎09-18-2009 1:57 PM
0 Kudos

Maybe I´ve been a little bit unclear here. The backups are initiated from a Dataprotector-server, which gives us the errors mentioned above.

lbreddemann
Active Contributor
‎09-19-2009 1:36 PM
0 Kudos

Hello again,

the screenshot you posted the link to shows a permission error caused by "user_getrights" command.

I'd be very surprised to find this being issued by the data protector.

As the dataprotector really shouldn't require the permission set to run the DBMGUI, the few permssions I posted before should definitively be enough.

Maybe you want to check with the dataprotector guys about what exactly they're doing when they trigger backups, e.g. what exact dbm commands they call.

regards,

Lars

BTW:

even if you're on windows you can use the logfiles and the command line interface. It's easier to post in the forum that way.

joe_ledesma
Participant
‎04-29-2016 11:47 PM
0 Kudos

In case anyone finds this old thread in a web search (as I did, for "data protector maxdb rights"), the following minimum permissions have worked for the DBM user configured for the Data Protector integration:

(In dbmcli)



user_put user SERVERRIGHTS=+InstallMgm,+Recovery,+Backup,+ParamCheckWrite,+DBInfoRead

Verification:



user_getrights user SERVERRIGHTS

Expected output with plus '+' signs:



...


InstallMgm              +       Installation management


...


Recovery                +       Restoring backups


Backup                  +       Saving backups


...


ParamCheckWrite         +       Parameter access (checked write)


...


DBInfoRead              +       Request status data


...

Suggested user:


DATAPROTECTOR


(It is long, but you will not be typing it in interactively but instead can copy and paste it into the Data Protector integration, and using a longer name since not aware of a way to add a comment or description for a DBM user.)



With the above rights minus DBInfoRead, the following error was encountered by Data Protector:


-24937,ERR_MISSRIGHT: No permission for DBM command user_getrights


(As of this post, the Data Protector 9.06 Integration Guide documented the other rights as necessary but did not mention DBInfoRead. I have sent documentation feedback to HPE.)


Tested environment:


Data Protector 9.05

MaxDB 7.9

HP-UX 11.31





Ask a Question