The Microsoft application agent requires that the user starting backup and recovery operations are assigned certain privileges from the SQL Server and the Windows application host. The following table explains the required permissions for both stand-alone SQL and AAG SQL Servers.
Stand-alone SQL Server | sysadmin and public | Create a local or domain windows user account and assign the following roles: For table-level backup and recovery, assign administrative privileges. For database-level backup and recovery, assign administrative permissions: - Add the user to the “create global objects” windows policy.
- Assign the following permissions to the data and log folder of the database:
- Read
- Write
- List folder contents
|
Always-on Availability Group | sysadmin and public | Create a Windows user account with one of the following configurations - Domain user added to the administrator’s user group.
- The built-in windows administrator.
- The local user account added to the administrator’s user group of each node in the cluster. The username and password must be the same on each node.
|
The Microsoft application agent supports SQL data encryption at the cell level, at the full database level by using TDE, or at the file-level with encryption options provided by Microsoft. (Microsoft SQL transparent data encryption (TDE) is a feature that performs real-time I/O encryption and decryption of the data and log files.)
Note: The Microsoft application agent does not support third-party transparent data encryption for SQL VDI. See the Microsoft SQL Server product documentation for more information about TDE, enabling data encryption, and protecting the encryption keys.
