X-Received: by 10.236.36.39 with SMTP id v27mr38275397yha.5.1386288894807; Thu, 05 Dec 2013 16:14:54 -0800 (PST) X-Received: by 10.49.56.4 with SMTP id w4mr10153qep.26.1386288894790; Thu, 05 Dec 2013 16:14:54 -0800 (PST) Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!p15no6796489qaj.0!news-out.google.com!9ni1961qaf.0!nntp.google.com!p15no6796477qaj.0!postnews.google.com!glegroupsg2000goo.googlegroups.com!not-for-mail Newsgroups: comp.databases.ms-sqlserver Date: Thu, 5 Dec 2013 16:14:54 -0800 (PST) In-Reply-To: Complaints-To: groups-abuse@google.com Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=188.29.21.233; posting-account=dELd-gkAAABehNzDMBP4sfQElk2tFztP NNTP-Posting-Host: 188.29.21.233 References: User-Agent: G2/1.0 MIME-Version: 1.0 Message-ID: Subject: Re: 'Backup Database' permission From: rja.carnegie@gmail.com Injection-Date: Fri, 06 Dec 2013 00:14:54 +0000 Content-Type: text/plain; charset=ISO-8859-1 Xref: csiph.com comp.databases.ms-sqlserver:1628 On Thursday, 5 December 2013 22:19:35 UTC, Erland Sommarskog wrote: > Chad Jones (noreply@noreply.com) writes: > > Can any one tell me if it's possible to grant the 'Backup > > Database' permission to a user, but only for a disk location, > > not a tape device? Thanks > > I don't think so. SQL Server writes to the backup device using its own > identity; it does not impersonate the actual user, so you cannot control > it with direct permissions on the device either. Trying to be helpful, can you do something with a stored procedure that only runs the backup in the way that you want to allow? Which isn't the question that was asked. Reading between the lines, the objective may be to prevent unauthorised copying of data out of the system, or to make a rule book that describes how it is prevented. Other ideas such as using the tape device on the standby server and not giving a user the "backup database" permission on that server, come to mind.