Please be aware that the content in SAP SQL Anywhere Forum will be migrated to the SAP Community in June and this forum will be retired.

HELLO! What is the minimum privilege for dbbackup -x?

2

Still wanting an answer... MANAGE ANY DBSPACE is not acceptable from a security point of view, when it comes to a user id and password that is used only for backups... it's too powerfuld.

Apparently the 16.0.0.1512 BACKUP DATABASE system privilege is not sufficient to run dbbackup with the -x option; it produces the error message "unable to delete transaction log".

What is the minimum required?

Granting the MANAGE ANY DBSPACE system privilege does allow dbbackup -x to run, but that seems... rather ... excessive.

Might as well GRANT NSA privileges, er, GRANT DBA :)

alt text

asked 12 Jul '13, 02:40

Breck%20Carter's gravatar image

Breck Carter
32.5k5417261050
accept rate: 20%

edited 01 Jan '14, 11:38

FWIW, here's the link to this question's prequel:

How do I diagnose dbbackup -x "unable to delete transaction log"?

(02 Jan '14, 03:17) Volker Barth
One Answer:
active answersoldest answersnewest answerspopular answers
4

The privilege we check during the delete transaction log operation is indeed MANAGE ANY DBSPACE. Whether it should be or not is debatable (it should probably be BACKUP DATABASE), but that's the one we currently check.

permanent link

answered 02 Jan '14, 11:55

Graeme%20Perrow's gravatar image

Graeme Perrow
9.6k379124
accept rate: 54%

edited 02 Jan '14, 12:15

Mark%20Culp's gravatar image

Mark Culp
24.9k10141297

1

I can guess how it happened: at the micro (engineer) level it "makes sense" since deleting a log is indeed "managing a dbspace". At the macro (user) level, not so much :)

IMO if the log is being deleted as part of a backup operation, then the privilege checked should indeed be BACKUP DATABASE (or nothing, since presumably BACKUP DATABASE is known to be in effect since it IS, after all, a backup :)

If there is some other context in which the log is deleted, then perhaps some other privilege is required.

If this is the only goofiness in the massive privilege overhall, then good on ya... a better record than healthcare.gov :)

(02 Jan '14, 14:45) Breck Carter
Replies hidden
2

Just to add:

In case you are re-thinking the granularity of the privileges, one further issue with MANAGE ANY DBSPACE may be the following:

Currently ALTER DBSPACE ADD [SYSTEM | TRANSLOG] 100 MB etc. requires that privilege, too. In my experience this is often much more of a simple "prevent database file fragmentation" maintenance task than a database design decision - in contrast to the creation, dropping or renaming of additional dbspaces.

Therefore I would think it could be changed to require less or different privileges, say SERVER OPERATOR.

(Of course one could create a particular STP to allow non-privileged users to pre-grow the database/translog...)

(31 Jan '14, 19:18) Volker Barth
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×48

question asked: 12 Jul '13, 02:40

question was seen: 3,186 times

last updated: 31 Jan '14, 19:18

Related questions

SQL Anywhere on Windows operating system changes db file to read only

Storage setup for security and performance

Protecting intellectual property

How do I expunge all SQL code from a database?

JDBC Java ConnString / EncryptedPassword (ENP) connection parameter

How to catch a table schema change?

How can one database prevent another from being started on the same engine?

need to encrypt communication between client and server

How do I convert a long binary (from ENCRYPT) to a url encoded value?

simple encryption question