About SQL Server Agent Proxies
.gif) Note: |
|---|
|
Job steps that execute Transact-SQL do not use SQL Server Agent proxies. Transact-SQL job steps run in the security context of the owner of the job. To set the security context for a Transact-SQL job step, use the database_user_name parameter in the sp_add_jobstep stored procedure. For more information, see sp_add_jobstep (Transact-SQL). |
SQL Server Agent proxies use credentials to store information about Windows user accounts. The user specified in the credential must have "Log on as a batch job" permission on the computer on which SQL Server is running.
SQL Server Agent checks subsystem access for a proxy and gives access to the proxy each time the job step runs. If the proxy no longer has access to the subsystem, the job step fails. Otherwise, SQL Server Agent impersonates the user that is specified in the proxy and runs the job step.
Creation of a proxy does not change the permissions for the user that is specified in the credential for the proxy. For example, you can create a proxy for a user that does not have permission to connect to an instance of SQL Server. In this case, job steps that use that proxy are unable to connect to SQL Server.
A user must have access to a proxy to use the proxy in a job step. Access can be granted to three types of security principals:
-
SQL Server logins
-
Server roles
-
Roles within the msdb database
If the login for the user has access to the proxy, or the user belongs to any role with access to the proxy, the user can use the proxy in a job step.
| Note: |
|---|
|
Members of the sysadmin fixed server role have access to all proxies in the instance. |
The following section provides links to common tasks for working with proxies.
To create a proxy
To modify a proxy
To delete a proxy
To set permissions for a user