The forum will experience an outage sometime between February 10 at 7:00pm EST and February 12 at 11:59 EST for installation of security updates. The actual time and duration of the outage are unknown but attempts will be made to minimize the downtime. We apologize for any inconvenience.


We are looking into several security concerns, and we are wondering if it would be possible to disable the creation of a backup of a Sybase SQL Anywhere 11.0.1 database. We currently often use DBBackup.exe to create a backup of a database. However, there are some databases running in the field where we would like to block this possibility from any user. I have found in the Authorities of a user the checkbox "backup" "required to perform database backups", however think that the DBA also has this possibility. Would it be possible to block this from the DBA aswell, or have a database without a DBA user ? (that last doesn't seem possible)

Kind regards,


asked 20 Jan '12, 03:45

MichaelMangelschots's gravatar image

accept rate: 0%

edited 20 Jan '12, 07:24

Volker%20Barth's gravatar image

Volker Barth

FWIW, revoking BACKUP priviledge from DBA (which a DBA doesn't have been granted by default) doesn't prevent them from doing backups at all - the DBA priviledge seems to contain BACKUP and VALIDATE by design...

(20 Jan '12, 07:24) Volker Barth

A database for which the end users have access to a user id with DBA privilege has no security whatsoever, and preventing a backup will not improve the situation.

(20 Jan '12, 09:11) Breck Carter

By definition DBA can do anything - they are the owner of the database. I don't think that a database could exist without one.

I suspect the answer to your problem is to ensure that the DBA password is NEVER distributed and that clients in the field connect with a lower level of authority. You may also want to look at database encryption so that the database file cannot be hacked directly.

permanent link

answered 20 Jan '12, 05:30

Justin%20Willey's gravatar image

Justin Willey
accept rate: 20%


Well, we do use databases without a DBA (actually still with a DBA, however the DBA user has not password and cannot connect anymore - just like these particular SYS and dbo users), but these are SQL remote databases, and they can "re-gain" a DBA "from outside" by means of passthough mode. Something similar might be possible with MobiLink clients (but I'm not sure). So that's a very particular situation.

For a single database, I don't think it even makes sense to drop any user with DBA priviledge - you would not be able to alter anything general afterwards...

FWIW, I just tested with the v12 demo: You are able to revoke the DBA priviledge from a DBA user, and she cannot do backup afterwards (unless the BACKUP priviledge is set explicitly). However, as stated, you won't be able to change the back if there's no other user with DBA priviledge...

(20 Jan '12, 06:58) Volker Barth

Some suggestions:

  • The "secured features" facility (dbsrvX -sf) allows to prevent some server actions, among others server-side backups (which comprises DBBACKUP -s). That's the feature "backup". - It does not prevent from doing client-side backups.
  • You could use a "BackupEnd" type event to find out that a backup has taken place (and possibly could then remove the backup immediately) - however, it's not easy to find out the backup location, and if it's on a location not accessible for the database server (say, a client computer), that won't do at all.
  • The database system cannot prevent any user from copying the database files when the database is not loaded (and therefore to make a full image backup) - so that's only limited by OS permissions.

That may rather limit your possibilities...

permanent link

answered 20 Jan '12, 07:11

Volker%20Barth's gravatar image

Volker Barth
accept rate: 32%

edited 20 Jan '12, 07:13

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 20 Jan '12, 03:45

question was seen: 1,213 times

last updated: 20 Jan '12, 09:13