Windows operating systems

Backup-archive client operations and security rights

This section explains the types of Tivoli® Storage Manager backup-archive client operations that can be performed and the security rights that are needed.

You must have local or domain administrator privileges to install and configure Tivoli Storage Manager client services.

Table 1 summarizes the user security rights needed for backup and restore operations. The information in the table assumes that the default privileges for the Microsoft Windows Administrators group, Backup Operators group, and Users group have not been altered.

Table 1. Required user security rights for Tivoli Storage Manager backup and restore services
Operating system Account What can I back up and restore?
Windows Clients Member of Administrators group
  • Back up and restore all file and directory objects
  • Back up and restore system state
  • System state data (Backup Operators group cannot back up ASR writer data and cannot restore system state data)
Windows Clients Member of Backup Operators group
  • Back up and restore all file and directory objects
  • Back up system state, except for ASR Writer
Note: Backup Operator group members cannot restore system state.
Windows Clients Member of Users or other group
  • Back up and restore all file and directory objects
    Attention: Users must have the following Microsoft Windows security privileges in order to back up and restore files and directories:
    • Back up files and directories
    • Restore files and directories
    These privileges represent a potential security risk since they allow the user to back up any file, or restore any file for which a backup copy exists. The privileges should be granted only to trusted users. For more information about these privileges, see the Microsoft Windows documentation.
Note: System state cannot be backed up or restored.

By default, Tivoli Storage Manager client services run under the local system account. However, the local system account does not have access to network mapped drives and does not have the same permissions and logon properties as a user that is logged in to the system. If you experience discrepancies between a user initiated backup and a scheduled backup using the local system account, consider changing the services to run under the user account.

Tip: In addition to the appropriate user security rights, the Tivoli Storage Manager backup-archive client requires that the user has read permission to the root of any drive that needs to be backed up or restored. If you are using the system account to logon for the Tivoli Storage Manager scheduler service, ensure that you grant the system account (SYSTEM) read access to the root of the drive. It is not sufficient to grant Everyone read access to the root of the drive.

Domain resources, such as network drives, can only be accessed by services configured to run under a domain authorized account using dsmcutil or the Service Control Panel Application.

Beginning with Tivoli Storage Manager Version 7.1.8, stricter access control is enforced for the Tivoli Storage Manager password storage on Windows operating systems. By default, only the Administrator, SYSTEM, or LocalSystem account has access to the password store and SSL certificates.

You can use the dsmcutil addace command to modify the access control list to allow additional users, such as non-administrative users, or processes such as the Tivoli Storage Manager Data Protection client processes to access the password store and SSL certificates.

You can use the dsmcutil deleteace command to modify the access control list to remove access to the password store and client certificates for users, such as non-administrative users or processes such as the Tivoli Storage Manager Data Protection client processes.

For more information, see ADDACE and DELETEACE.