Backup-archive client operations and security rights
This section explains the types of Tivoli® Storage Manager backup-archive client operations that can be performed and the security rights that are needed.
You must have local or domain administrator privileges to install and configure Tivoli Storage Manager client services.
Table 1 summarizes the user security rights needed for backup and restore operations. The information in the table assumes that the default privileges for the Microsoft Windows Administrators group, Backup Operators group, and Users group have not been altered.
Operating system | Account | What can I back up and restore? |
---|---|---|
Windows Clients | Member of Administrators group |
|
Windows Clients | Member of Backup Operators group |
Note: Backup Operator group members cannot restore system state.
|
Windows Clients | Member of Users or other group |
Note: System state cannot be backed up or restored.
|
By default, Tivoli Storage Manager client services run under the local system account. However, the local system account does not have access to network mapped drives and does not have the same permissions and logon properties as a user that is logged in to the system. If you experience discrepancies between a user initiated backup and a scheduled backup using the local system account, consider changing the services to run under the user account.
Domain resources, such as network drives, can only be accessed by services configured to run under a domain authorized account using dsmcutil or the Service Control Panel Application.
Beginning with Tivoli Storage Manager Version 7.1.8, stricter access control is enforced for the Tivoli Storage Manager password storage on Windows operating systems. By default, only the Administrator, SYSTEM, or LocalSystem account has access to the password store and SSL certificates.
You can use the dsmcutil addace command to modify the access control list to allow additional users, such as non-administrative users, or processes such as the Tivoli Storage Manager Data Protection client processes to access the password store and SSL certificates.
You can use the dsmcutil deleteace command to modify the access control list to remove access to the password store and client certificates for users, such as non-administrative users or processes such as the Tivoli Storage Manager Data Protection client processes.