Restricted Backup role

Hi all
I am new to MSSQL, so please be patient if my question sounds trivial :-)
We have an instance of MSSQL for development and the people normally do frequent backup/restore of databases (i.e. for upgrade of customer's production DBs, restore of production databases, etc..) via "sa" login. Note that we don't have a dedicated
DBA and we would like to avoid to dedicate a resource only for these trivial tasks.
Now we would like to restrict such security policy, like:
Remove DBA permissions to all users
Grant all users a specific role to backup/restore databases ONLY remotely (i.e. to/from \\192.168.xxx.xxx\mySharedFolder)
Restore only to the database where user is dbOwner
Would this be possible just by using security restrictions (not with stored procedures)? How?
I had a quick look to the Media sets config, but I couldn't figure out how to restric only to remote locations, and the dp_backupoperator doesn't seem to be configurable. Also the CREATE DATABASE permission is way to strong as we don't want a user to be
able to restore to any database, but only to his own.
Thank you!

Hello,
I just tried out Below on SQL Server 2012 where I created a procedure which did backup on local disks. Created a Login and user mapped it to a database gave user DB datareader and BACKUP DATABASE permission. 
Procedure to backup database
USE [Database_Name]
GO
/****** Object: StoredProcedure [dbo].[BackupDatabase_Proc] Script Date: 10-10-2014 21:29:00 ******/
DROP PROCEDURE [dbo].[BackupDatabase_Proc]
GO
/****** Object: StoredProcedure [dbo].[BackupDatabase_Proc] Script Date: 10-10-2014 21:29:00 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
create procedure [dbo].[BackupDatabase_Proc]
@Dbname char(20),
@Location varchar(20)
as
Begin
declare @SQL NVARCHAR(500)
SET @SQL = 'BACKUP DATABASE ' + @dbName + ' TO DISK = '''
+ @Location + ''' WITH INIT'
exec sp_executesql @SQL
end
GO
After This I created Login and then user with same name and gave it data reader for database for which I need to take backup.
USE DATABASE_NAME
GO
CREATE LOGIN backupLogin WITH PASSWORD=N'backup', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english],
CHECK_EXPIRATION=OFF, CHECK_POLICY=ON
GO
CREATE USER BACKUPLOGINUSER FOR LOGIN [backupLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
ALTER ROLE DB_DATAREADER ADD MEMBER BACKUPLOGINUSER
After that granted execute permission on Procedure to User
GRANT EXECUTE ON BACKUPDATABASE_PROC TO BACKUPLOGINUSER
GO
GRANT BACKUP DATABASE TO BACKUPLOGINUSER
Well with above user have data reader privilege and can run procedure to take backup. Is this what you are looking for.
Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
My Technet Wiki Article
MVP

Similar Messages

  • How to restrict selected Role under a Role???

    Hi Friends,
    I have 3 roles, which are Role-1, Role-2, Role-3.
    Role-2 & Role-3 are Under/Part of Role-1.
    Now, I have assigned Role-1 to a user. By doing this, When he logs in he is able to see the Role-2 and Role-3 also eventhough we havent assigned Role-2&3.
    Now My question is, How to restrict a role under a role. For example, I dont want to show Role-3.
    When i checked the user roles assigned, i see only Role-1 but not 2 other roles.
    Could anyone advice on how to make unwanted role in role. Assuming, no one is going to assign directly with Role-2 & Role-3. They got assigned only Role-1.
    Thanks for u r time!!
    Thanks,
    Raghavendra.P

    Hi Praveen,
    Thanks for important/useful information. I really dont understand is., Inspite of giving the properties to the each of role/workset, How do we call the approprite under the role. for example :
    If we have Role-2 with propery dept=sd,
    and Role-3 with propert dept=xi, etc.
    Now i have Role-1, within which i have Role-2 and Role-3.
    Now, if i want to see only roles with dept=xi then where should i mention and what should i mention.
    I understood till creating the properties, assigning the properties to roles/worksets, giving values to properties.
    Only i doesnt understood is how to activate which we want in the scenario.
    Thanks for your time..!!!
    Thanks,
    Raghavendra Pothula

  • Restriction in roles

    Hello Gurus,
    Iam working on a SLO project, There are 5 systems and all need to be merged.
    Each and every system has their respective roles, Now i need to bring all roles in to the target system and restrict the roles with respect to their system.
    Iam trying to restrict the roles with the organisational levels present.
    Is their any more restriction need to be done ?
    please provide some inputs.
    Thanks,
    Sanketh.

    Hi Sanketh
    If that is your remit then it looks like your project management have not scoped the activity properly and they have left you to pick up the pieces.
    It sounds like you are doing the right thing for the custom developments, though you will end up with additional work with the * in the org levels.
    If you need to restrict each role set to only be able to see it's own data:
    1. Get the project to deliver you an organisational matrix listing all the org level elements that belong to each company.  You can get the org levels from table USORG.  insist that this is provided as one of their deliverables and provided ASAP.
    2. ID all the org levels that are not relevant and you can keep a * in
    3. Using the org level matrix you can now start to work on the roles to make sure that the roles only contain the org data for that company.  If company x has a certain list of company codes then you need to maintain all those
    4. Remove access to view tables & directly execute programs
    5. Remove access to SQ00 or SQ01
    Are you responsible for maintaining this after go-live?  If so then you really need to start to assess that the roles support the functional scope of the to-be systems.  Get the updated roles included in the cutover testing so that you can get validation that you have done what was asked and it tested OK before they are deployed into live.
    I can't send any docs as previous work is either covered under client confidentiality arrangements or is our intellectual capital.  I am more than happy to provide feedback on here though.
    Good luck!

  • Restrict the role of User Administrator

    Hello all,
    I need to know that if it is possible to restrict the Role of an User Administrator to assign only a specific set of Roles to the end user.
    For example : The user administrator should be able to assign only say Managers, Employees Roles to the Users and not any other roles like Super Administrators etc.
    If so, how can we achieve that?
    Regards
    Avik

    There is a authorization object (combined with a parameter) that does this restriction:
    S_SPO_PAGE
    Definition
    Using authorization object S_SPO_PAGE, you can restrict the maximum number of pages of a request that can be printed on a particular printer.
    This authorization check is only active if profile parameter rspo/auth/pagelimit is set to 1.
    Defined fields
    SPODEVICE       Device name for which the restriction is to apply.
    SPOPAGES        Maximum number of pages allowed; enter a range (0 to n) here

  • Oim 11g r2: data access restriction using roles instead of organisations

    can i implement data access restriction using roles instead of organisations in oim 11g r2?

    in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

  • Internet Restriction of Role or Workset in Portal

    Hello SDN'ers
    I have a requirement of restricting one role to the users who are accessing our company portal thru internet...
    How should i go about it....
    Please Help..
    Thanks n Regards...

    Hello Saxena,
    You could have a diferrent desktop for the users accessing your portal
    through internet (probably the easiest way is by configuring a portal rule
    based on User or URL Alias) and within that desktop filter/restrict the role
    in question.
    More details on how to do this:
    - Step 1 - Portal display rules for determining which portal desktop
    http://help.sap.com/saphelp_nw04/helpdata/en/4b/29cf122f414721964269e1b675d62c/frameset.htm
    - Step 2 - Filtering the role
    http://help.sap.com/saphelp_nw70/helpdata/EN/5e/e855a35455458aa4df21a4339722c7/frameset.htm
    good luck!
    Rafael

  • Creating Restricted Helpdesk Role

    I am trying to create a helpdesk role in the portal that will only allow the helpdesk to reset password and unlock an id.
    I am almost there. I created a new role then linked the sap provided workset "delegated user Administration".
    I then removed all except search, previous search results, and locked users.
    The problem is, the results pages still have a delete button, copy to new, and the edit page allows the helpdesk to edit all of the user's info.
    How can I remove unwanted buttons? And when in the edit screen they click the pencil (we don't use the automatic password reset) to reassign a new password, all of the user fields are displayed. How can I edit that page to only provide the password fields?
    Thanks.
    Nicole

    Hi Nicole,
    See How to restrict UME-Action-rights to reset password an unlock user ? - discussed there are the possibilities to define a permission set for UME actions. Maybe that would be the best solution, as you could/should use the standard UIs for your concerns. The alternative I suggested was based on the "old" UserAdmin user interfaces (not WD). A third way would be to develop a small applications for your needs - as this is not ver mighty, it should'n be a big problem / task...
    Hope it helps
    Detlev

  • Requisition for approval using - Restricted Recruiter role

    Hi,
    We have implemented SAP eRec EHP4. As of EHP3 the restricted recruiter was only able to create requesition in Draft mode and release the requisition for approval.
    We are using WD on SAP EHP4. We have provided SAP_RCF_RES_RECRUITER_ERC_CI_2 role in R3 to one of the user and Recruiter role on the portal. But when I try to create a requisition and try to release it, it gets released instead of going for approval......
    What have we done wrong.....Is there some other way by which the requisition can be sent for approval in EHP4......
    Thanks

    Hi All,
    In the meantime I was testing the BSP application since I had to give a demo to the client.....Here I could run the workflow, but when I launch the recruiter "approval" page it gives me an error
    BSP Exception: Das Objekt default.htm in der URL /sap/bc/bsp/sap/hrrcf_approval/default.htm?objid=90005527&otype=NB&plvar=01&requestdate=20100723&requestedRsncode=01&requestedstatus=1&requester=Mr%2etesttest&SAPWFCBURL=http%3a%2f%2ftcssol%2ehrservicesonline%2ecom%3a8002%2fsap%2fbc%2fwebflow%2fwshandle ist nicht gültig.
    I saw through SE80 there is no page like default.htm how do I resolve this, is this also connected with upgrading our SP level?
    Thanks
    Subbu

  • CUP question - Possible to restrict available roles based on the requester?

    Helo all,
    One of our customers wants to put restrictions on the access requester in the CUP module: meaning that some requesters should only be able to request roles assigned to functional area u2018Procurementu2019, while other requesters should only be able to request roles that are assigned to all functional areau2019s except for u2018Procurementu2019.
    Do you know if this is possible or do you see an alternative solution?
    Thanks in advance,

    There is no real way to restrict people from doing that, but you could use the buisness process in role attributes to ensure if the select the correct buisness process only roles listed under a particular buisness process are listed when being searched.
    You could make the buisness process field mandatory on the main screen and than that gets carried over when searching for roles, obviuosly that can always be changed by the user.
    regards,
    Chinmaya

  • Restrict Moving roles with user assignment

    Hi There,
    Need your help...
    How to restrict to move roles from dev->QA with user assignment. (want to disable the user assignment restirction)
    Thanks and Regards,
    Gnanaprakasam

    Unfortunately this is not the default installation setting, so you need to go into the security settings customizing and change the USER_REL_IMPORT switch to 'NO'.
    This does however NOT make the checkbox disappear in the transport source system. It prevents the import in the target... so you must set it and transport it there first, then it works.
    Cheers,
    Julius

  • Any ideas on restricting userID Role Assigment within the SAP Security Team

    Hello,
    I have gotten a request to look into restriction of assignment of roles to oneself within the company SAP Security Team. Thoughts I have come up with so far involve the use of UserID User Groups, Role Assignment Ranges, and forcing all role assignements for all userIDs through GRC-AC CUP for QA and Prod. Has anyone come up with a workable solution that is outside of these suggestions that they have put into practice?
    Thanks in advance for your help!
    John

    Hi John,
    There can be a manual control in place and individual should not assign role/s to himself / herself.
    Otherwise, security team members can be assigned to a specific group (let say Security) and they shouldn't have access to authorization S_USER_GRP with ACTVT 22 & CLASS - Security.There should be a dedicated power user to assign the role/s to the security team members and this can be auditted (SM20 log for manual super user / FireFighter log for FireFighter user).
    Thanks
    Prasanna

  • OIM 11g-How to restrict the role administrator from seeing "other" roles

    Dear All,
    How to restrict Administrator from seeing roles he is not suppose to administer?
    My administrator is suppose to assign only Role A. When he logs in He can see every single role. How to correct it so that he can see only Role A?
    Thank you for your time
    Maria

    Modify "All User Role Management Policy"

  • How to restrict without role

    Hi to every one,
    i want to know one of our user having sap_all &sap_new profile.
    so that is super user .
    if i want to restrict for some tcode like sm12,sm04,st02and etc.
    without assigning any role ....
    means if i create role then it will not be the solution because user eant all authorization except sm12 ,sm04 and st02.
    so guide me what should be the way to do so.
    Regards
    Dik

    Well I know roles like these are clumsy and it is never a good practise to have a role with SAP_ALL and never something like this in Production and however you try to limit it..there may be a way to take advantage of this role.
    So lets try to minimize the access to roles like this because sometimes in dev system functional consultants ask for roles like this.
    "The user could just give themselves the real SAP_ALL or any other role back again"... -> Let us remove SU01, SU10, PFCG ....or better lets us remove SU* and PFCG from this role. So that user do cannot give themselves anyother role or t-code. Also remove S_USER* object
    or skip the tcode check in the debugger... or create a new transaction which does exactly the same... ->
    Let us remove all SE* t-codes like SE38, SE93 ..also SA* .....also remove S_DEVELOP with object type DEBUG, PROG etc ..restrict S_ADMI_FCD, S_SPO_ADMIN, S_BTCH_ADM etc and other S authorization object
    "Another bugger with roles such as these, is that when they are mixed with other roles which are built correctly to control the access of the user when using a certain set of application area transactions (which is different to just starting them...) "  --> Right..so we do not give this role with any other role...lets create a id for it ..something like a super user id and add this role to it. And give it only in the cases when you have approval for it.
    " SAP_ALL has moved on as well (with SP and releases) as it is regenerated from the new SAP_NEW..." -> This role is created from SAP_ALL as template ...I am not sure it means when SAP_ALL changes this custom role will change itself. The Role is created and until you change it yourself, it should not change automatically.

  • AE-How can we restrict a role approver to request or approve is own access?

    Currently, in our AE a role approver can submit a request to add a role for which he is the approver and therefore he will be able to approve it as well.
    We would like to not authorize someone to approve his own access request.
    Is that possible and how ?

    Patrick-
    That enhancement is available in Access Control (CUP, formerly AE) 5.3.  It is not available in 5.2.
    Ankur

  • Restrict Backups to Low CPU Usage Times

    I have been doing some pretty CPU intensive work lately, a lot of it in iTunes. I'm seeing the spinning beachball quite a bit when doing these tasks. To make it worse, Time Machine often picks these times to do a backup. I usually just end up canceling it.
    Is there any way to set Time Machine to only do its backups at time CPU usage is below a certain threshold? If not, there's an option for a future release.
    Thanks.
    Tony

    Hi Dave
    Don't know if You know about the computer stonage. When You could set a
    CPU to do just one task. Not so any more.
    Mac computers are realy UNIX ditos. So they behave likvise.
    To get it to work with better speed one has to get it from doing meaningless
    tasks. This by giving it so much free space on the internal hard disk so that
    it doesn't start virtual memory managment and joggling a lot of temp files.
    To run iDVD I set free at least 25Gb free space on my internal hard disk and
    run no un-necessary programs in the back-ground like "Screen, Energy-savers"
    FileVault etc. incl. ActivityMonitor, Internet and other needless activities.
    Ps. Activity Monitor - lies when running under iDVD and says that iDVD doesn't
    respond. Let it be and it eventually succeedes with it's task.
    Yours Bengt W

Maybe you are looking for

  • Stock in transit - account determination

    Hello We have weird transactions in stock in transit : AR Credit memos and returns are impacting the stock in transit. Can anyone explain why ??? How does the stock in transit account function naturally ?? Thanks Fabrice

  • Javascript to validate a percentage

    Hello, Any one knows a way to vaidate that the number entered in text box is either a 1 or a percent. I have been trying to validate this using javascript and its not working. Please help

  • Convert SWF to AVI Video

    Hi plz help I have made presentation in flash cs4. I have one main file Index & loading rest all the files through LoadMovie. I want to convert my presentation into AVI for video but when i export it in avi so it converts in AVI but its not taking th

  • Unable to Purchase iPhoto Book

    Hi, I'm trying to purchase a book in iPhoto, but when I click buy book or buy prints, nothing happens. I've tried shutting down my computer and iPhoto, checking my credit card and applie ID info and I recently updated my credit card. Any suggestions?

  • How do I know if the post job (AUFK-ARBPL or AUFK-WERKS) has mobility?

    Hi, I can not see if a post job has mobility or not. Does anyone know if there is any function or BAPI for this? Post job: AUFK-ARBPL mobility:¿?¿? thank you very much in advance! regards!