Skip to content

Permissions

Jump to bottom
David Wiseman edited this page Nov 28, 2025 · 5 revisions

The service account requires the following permissions:

  • dbcreator Role membership
  • VIEW SERVER STATE
  • CONNECT ANY DATABASE. Required if you are using STANDBY option with 'KillUserConnections'.
# Grant permissions using dbatools.  
# Replace DOMAIN\YOURUSER, adding a $ to the end of the username if using a managed service account.
# Run locally or replace LOCALHOST with the name of the server
Add-DbaServerRoleMember -SqlInstance  LOCALHOST -ServerRole dbcreator -Login DOMAIN\YOURUSER
Invoke-DbaQuery -SqlInstance LOCALHOST -Query "GRANT VIEW SERVER STATE TO [DOMAIN\YOURUSER];GRANT CONNECT ANY DATABASE TO [DOMAIN\YOURUSER]"

Additionally the service also requires:

  • Log on as a service rights

  • File system permissions to write to application folder (For writing to Logs folder.)

⚠️Restrict access to the application folder for other user accounts

  • File system permissions to list backup files (if using a unc path instead of azure blob)

The service account running SQL also requires access to read the backup files

Azure Blob SASToken permissions

A SASToken can be generated from the azure portal.

🔐 The SASToken for the credential in SQL will need Read, List, Write and Create permissions (Write & Create are needed to read backup files for some reason). Blob should be selected for Allowed services and Object & Container for allowed resource types. Container can be removed for the SQL credential but is required for the app.

image

Set an appropriate expiry date for the token. If the token expires, log shipping will stop working. Click the Generate SAS and Connection string button and copy the SASToken that starts with sv=

A credential is required in SQL to be able to restore from Azure blob:

/*
    If the credential already exists and you need to update the SASToken, drop and re-create it.  
    e.g. 
    DROP CREDENTIAL [https://<mystorageaccountname>.blob.core.windows.net/<mystorageaccountcontainername>] 
*/
CREATE CREDENTIAL [https://<mystorageaccountname>.blob.core.windows.net/<mystorageaccountcontainername>] 
   WITH IDENTITY = 'SHARED ACCESS SIGNATURE',  
   SECRET = '<SAS_TOKEN>';

The SASToken is also required for the service to be able to enumerate the files from the blob container. The same token could be used for the service or you can use a more restricted token with Read & List.

The SASToken can be updated using:

LogShippingService.exe --SASToken "?sp=..."

🔐 The SASToken value will be encrypted with the machine key. If you edit the config file directly, the encryption will be performed when the service starts.

Log on as a service

Logon as a service rights are required to allow the service user account to run as a Windows service. If the user doesn't have this right, the service will fail to start. Built in accounts and managed service accounts should have this by default. If you change the service account using services.msc it will assign the right to the new user account. To grant the right manually:

  • Start run. gpedit.msc
  • Navigate to Local Computer Policy\ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment
  • Update Log on as a service to include the service user account.
image

Clone this wiki locally