Time to read: ~ 3 minutes
This is a straight #SQLNewBlogger post.
I was working on privileges and permissions for some server roles in the database on a new server the other day.
From talking with the Developers, they wanted the ability to be able to backup and restore databases.
Reading the documentation
I knew from reading the documentation that
dbcreator grants permissions to create, alter, drop, and restore databases. My question was does it give permission to backup databases?
It seems to give everything else so is backup databases just missing there? Or is it intentionally left out?
A few tries with different search engine didn’t reveal much for me. Luckily, this is something that we can easily test! Perfect for a #SQLNewBlogger post.
If you have a situation like this one; figure it out and write it up!
I’m going to assume that you have a development instance of SQL Server to test things out on.
On your test instance, we’re going to create a SQL Authentication Login that shall be our test subject.
We are testing
dbcreator so we’re going to add it to that role after we create it. We’ll also need a database that we can test this on.
USE [master]; GO CREATE LOGIN [RestoreNoBackup] WITH PASSWORD = 'WhyOneAndNotOther?'; GO ALTER SERVER ROLE dbcreator ADD MEMBER RestoreNoBackup; GO IF DB_ID(N'TestBackup') IS NOT NULL BEGIN ALTER DATABASE TestBackup SET SINGLE_USER WITH ROLLBACK IMMEDIATE; DROP DATABASE TestBackup; END; GO CREATE DATABASE TestBackup; ALTER DATABASE TestBackup SET RECOVERY SIMPLE; GO USE TestBackup; GO CREATE TABLE dbo.TestData ( TestDataId int IDENTITY(1, 1) NOT NULL CONSTRAINT pk_TestData PRIMARY KEY, TestDate date NOT NULL CONSTRAINT df_TestDate_getdate DEFAULT (GETDATE()), TestValue varchar(25) NOT NULL ); GO CREATE USER RestoreNoBackup FROM LOGIN RestoreNoBackup; GO GRANT SELECT ON dbo.TestData TO RestoreNoBackup; GO INSERT INTO dbo.TestData (TestValue) VALUES ('This is important!'), ('So is this.'); GO SELECT * FROM dbo.TestData; GO
So now we have:
- A database: TestBackup
- A SQL Login: RestoreNoBackup
- Assigned to dbcreator
- A User on the database linked to the login: RestoreNoBackup
- Granted SELECT on the table.
Are we missing something? Let’s take a backup as well.
BACKUP DATABASE TestBackup TO DISK = N'E:\BACKUP\TestBackup_20190530_01.bak' WITH COMPRESSION, CHECKSUM; GO
Now, let’s do our actual test.
We’re going to connect to the instance as our login; RestoreNoBackup.
Now, let’s test that we can create a database…
CREATE DATABASE Empty01; GO SELECT DbOwner = SUSER_SNAME(owner_sid), DbName = [name] FROM sys.databases; GO
Lovely, can we restore the backup that we took?…
RESTORE DATABASE RestoreTest01 FROM DISK = N'E:\BACKUP\TestBackup_20190530_01.bak' WITH MOVE N'TestBackup' TO N'/var/opt/mssql/data/RestoreTest01.mdf', MOVE N'TestBackup_log' TO N'/var/opt/mssql/data/RestoreTest01_log.ldf', CHECKSUM, STATS = 10; SELECT * FROM [RestoreTest01].dbo.TestData; SELECT DbOwner = SUSER_SNAME(owner_sid), DbName = [name] FROM sys.databases; GO
Great! But can we backup the database that we created?…
SELECT SUSER_SNAME(); BACKUP DATABASE RestoreTest01 TO DISK = N'E:\BACKUP\RestoreTest01_20190530_01.bak' WITH COMPRESSION, CHECKSUM; GO
Okay! So if backup permissions are needed, I need to add the user to the
db_backupoperator database role.
Good to know!
I now have confirmation that
dbcreator can create and restore (I’m wasn’t testing alter or drop) databases.
This is a lovely case of #SQLNewBlogger, it took me 15 minutes for this blog post and most of that was taking the screenshots and cleaning the code.