Windows Users and Permissions on Database Servers
Delphix Administration / SQL Server Environments and Data Sources / Setting Up and Configuring Delphix for SQL Server / Tasks for the Windows System Administrator / Windows Users and Permissions on Database Servers

Delphix needs windows-level permissions on all three types of environments:

  • Staging
  • Source
  • Target

Windows Domain User Tasks on Staging Server

This requirement enables the staging user to create staging databases and perform the necessary functions on them during restorations, keeping the staging databases in sync with dSources. Powershell is used to execute commands to accomplish things such as mounting iSCSI LUNs for staging databases and restoring the data during SnapSync operations. For certain Powershell calls from the connector host, the source user is enabled on the staging side, because this is not stored on the source side.

The Windows Domain user (for example, delphix_stg) that the Delphix Engine uses on a staging environment must:

  • Be a member of the local Administrators group for access to discovery operations on source hosts, and for mounting iSCSI LUNs  that the Delphix Engine presents to the staging host
  • Have access to any SQL Server database instances which the Delphix Engine will use for staging operations (described in Tasks for the SQL Server Database Administrator)
  • Have Log on as a batch job rights so the Delphix Engine can remotely execute commands via Powershell. To set this:
    1. Using the secpol.msc security policy editor, navigate to Local Policies.
    2. Select User Rights Assignment.
    3. Select Log on as a batch job.
  • Have SMB read access to the location holding the backup files of the source database

The delphix_src user that the Delphix Engine uses on a source environment needs to be included in the local administrators group on the Staging Server.

Windows Domain User Tasks on Source Server

Delphix queries the database to obtain information on databases during discovery. Therefore, the source environment must have a Windows Domain user that the Delphix Engine can use (for example, delphix_src). This is the user that you provide when adding the source environment to the Delphix Engine. The user provides remote read-only access to the Windows Registry for discovering SQL Server instances and databases. This user must meet the following requirements:
  • Be a member of the Backup Operators or Administrators group on the source host to allow Windows remote registry access
  • If Delphix-initiated copy-only backups are used for the database, the user must be a member of the Administrators group on the source host
  • Have access to any SQL Server database instances which the Delphix Engine will discover or link (described in Tasks for the SQL Server Database Administrator)
  • If the source host belongs to a cluster, the user must have these privileges on all hosts that comprise the cluster

Unless Delphix-initiated copy-only backups are used, existing database backups from your Source Database must be accessible to both the Domain User of the Staging environment used for this database (for example, delphix_stg), and the Instance Owner of the Staging Database Instance (for example, CORP\staging_sql_service). This includes:

  • Permission to access the database backups via SMB (Windows file sharing)
  • NTFS Permissions to access the database backups

If the Source's backup process uses local file paths (e.g. E:\Backups\database.bak), it will be necessary to specify the path to the network file share during dSource configuration. See Linking a dSource from a SQL Server: An Overview for more information. For backups stored on Windows Failover Clusters or Availability Groups, the file share should be created using the Windows Failover Cluster Manager, to ensure that it travels between cluster nodes during cluster failover.

Using "Administrative" or "Default" Shares (for example, SERVERNAME\E$) for backups accessed by the Delphix Engine is strongly discouraged:

  • Behavior of Administrative Shares changes between Windows versions, and depending on whether Clustering is used
  • Administrative Shares may be disabled in some environments, for security reasons

Creating a named share for backups accessed by the Delphix Engine is recommended. Named shares also provide a level of abstraction, allowing you to change the physical location of backups on disk without re-configuring the Delphix Engine.

Windows Domain User Tasks on Target Server

There must be a Windows user for the target host that the Delphix Engine can use – for example, delphix_trgt. This user can be a Windows domain user or a local user. However, using a local user account will prevent you from using the target host as a staging target. This user has sysadmin status and can:
  • create the target databases
  • mount iSCSI LUNs
  • perform other database functions necessary for VDB operations, such as attach, detach, and restore. 

This user must meet these requirements:

  • Be a member of the local Administrators group for access to discovery operations on source hosts, and for mounting iSCSI LUNs that the Delphix Engine presents to the target host
  • Have access to any SQL Server database instances which the Delphix Engine will use for staging operations (described in Tasks for the SQL Server Database Administrator)
  • Have Log on as a batch job rights so the Delphix Engine can remotely execute commands via Powershell
    • To set this: Using the secpol.msc security policy editor, navigate to Local Policies > User Rights Assignment > Log on as a batch job.

Related Links