SQL Server 代理作业帐户问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1216404/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
SQL Server agent job account issue
提问by George2
I am using SQL Server 2008. I am confused about which account will be used when a SQL Server agent job runs. My confusions are,
我使用的是 SQL Server 2008。我对运行 SQL Server 代理作业时将使用哪个帐户感到困惑。我的困惑是,
- SQL Server agent as a Windows Service which we could control from Windows Service Management Console, from there we could set the account to run SQL Server Agent (LocalSystem in my computer);
- Could I set SQL Server agent job level account to run on?
- Could I set in each step which account SQL Server agent job step will run on?
- SQL Server 代理作为 Windows 服务,我们可以从 Windows 服务管理控制台进行控制,从那里我们可以设置帐户来运行 SQL Server 代理(在我的计算机中为 LocalSystem);
- 我可以设置运行 SQL Server 代理作业级帐户吗?
- 我可以在每个步骤中设置 SQL Server 代理作业步骤将在哪个帐户上运行吗?
I have above confusions because 3 different account systems may be used and my concern is what is the actual account each step will run on, and I want to avoid any permisson issues (i.e. I want to make sure the account have enough permission.). Any comments or advice? Appreciate anyone could clarify the 3 levels of accounts, which makes me very confused.
我有上述困惑,因为可能会使用 3 个不同的帐户系统,我关心的是每个步骤将运行的实际帐户是什么,我想避免任何权限问题(即我想确保帐户有足够的权限。)。有什么意见或建议吗?感谢任何人都可以澄清3个级别的帐户,这让我很困惑。
thanks in advance, George
提前致谢,乔治
回答by marc_s
I would typically run the SQL Server Agent jobs under the same account as your app accesses the database.
我通常会在您的应用程序访问数据库的同一帐户下运行 SQL Server 代理作业。
If that account is too limited in its permissions (which might be a good thing!), I would create a single account for that app and all its SQL jobs (if that's possible) and run all SQL jobs under that account.
如果该帐户的权限太有限(这可能是一件好事!),我将为该应用程序及其所有 SQL 作业(如果可能)创建一个帐户,并在该帐户下运行所有 SQL 作业。
You could potentially run each step under a different account, but I wouldn't use that in general (it just makes it really hard to know and understand what is run under which account). Only use it if you have to run a particularly sensitive step that needs a bunch of extra permissions and those permissions are only available to a particular system account or something.
您可能会在不同的帐户下运行每个步骤,但我一般不会使用它(这只会让了解和理解在哪个帐户下运行的内容变得非常困难)。仅当您必须运行需要大量额外权限的特别敏感步骤时才使用它,而这些权限仅适用于特定系统帐户或其他内容。
The account under which the SQL Server Agent windows service runs really doesn't have an impact on what your job steps will be run under.
运行 SQL Server 代理 Windows 服务的帐户实际上不会影响您的作业步骤将在其下运行。
So it boils down to really just two accounts:
所以它归结为实际上只有两个帐户:
one account is needed to run the SQL Server Agent Windows service - this is a Windows account on your machine / server which needs to have enough permissions to run the service, start and stop it - either use LocalSystem, Network Service, or whatever other Windows account you have to run services with
The other account would be the account to run your SQL Server Agent steps under - that's typically a SQL Server account (which could be based on a Windows account), and it needs enough privileges inside SQL Server to do its job, e.g. it needs access to the database objects and all. I would strive to have just one accountfor each app that runs the SQL Server jobs - makes life a whole lot easier!
需要一个帐户来运行 SQL Server 代理 Windows 服务——这是你的机器/服务器上的一个 Windows 帐户,它需要有足够的权限来运行服务、启动和停止它——使用本地系统、网络服务或任何其他 Windows您必须使用其运行服务的帐户
另一个帐户将是运行 SQL Server 代理步骤的帐户 - 通常是 SQL Server 帐户(可能基于 Windows 帐户),并且它需要在 SQL Server 内部具有足够的权限才能完成其工作,例如它需要访问到数据库对象和所有。我会努力为每个运行 SQL Server 作业的应用程序只拥有一个帐户- 让生活变得更加轻松!
Marc
马克
PS: To set the user to run a step under, you need to use the "Advanced" page on the Job step property dialog and select the user from a popup window:
PS:要设置用户在其下运行步骤,您需要使用作业步骤属性对话框上的“高级”页面,并从弹出窗口中选择用户:
回答by Rob Farley
You can create Credentials in SQL Server (use Mgt Studio, under Security). Then create a Proxy in SQL Agent to use those credentials, telling it what kind of job steps can be used by the proxy. Then you get the choice to use that Proxy in the job step itself.
您可以在 SQL Server 中创建凭据(使用 Mgt Studio,在安全性下)。然后在 SQL Agent 中创建一个代理来使用这些凭据,告诉它代理可以使用什么样的作业步骤。然后您可以选择在作业步骤本身中使用该代理。
So... I make accounts for various SSIS packages to run under, so that I can keep the SQL Agent Service Account low privilege, and use a proxied credential with slightly higher privilege (not admin though, just enough permission to connect to other systems, including the File System).
所以...我为各种 SSIS 包创建帐户以在其下运行,以便我可以保持 SQL 代理服务帐户的低权限,并使用具有稍高权限的代理凭据(虽然不是管理员,但有足够的权限连接到其他系统,包括文件系统)。
Rob
抢
