SQL server Agent Proxies
This topic describes how to create a SQL Server Agent proxy in SQL Server 2017 by using SQL Server Management Studio or Transact-SQL.
A SQL Server Agent proxy account defines a security context in which a job step can run. Each proxy corresponds to a security credential. To set permissions for a particular job step, create a proxy that has the required permissions for a SQL Server Agent subsystem, and then assign that proxy to the job step.
In This Topic
Limitations and Restrictions
- You must create a credential before you create a proxy if one is not already available.
- SQL Server Agent proxies use credentials to store information about Windows user accounts. The user specified in the credential must have "Access this computer from the network” permission (SeNetworkLogonRight) on the computer on which SQL Server is running.
- SQL Server Agent checks subsystem access for a proxy and gives access to the proxy each time the job step runs. If the proxy no longer has access to the subsystem, the job step fails. Otherwise, SQL Server Agent impersonates the user that is specified in the proxy and runs the job step.
- Creation of a proxy does not change the permissions for the user that is specified in the credential for the proxy. For example, you can create a proxy for a user that does not have permission to connect to an instance of SQL Server. In this case, job steps that use that proxy are unable to connect to SQL Server.
- If the login for the user has access to the proxy, or the user belongs to any role with access to the proxy, the user can use the proxy in a job step.
- Only members of the sysadmin fixed server role have permission to create, modify, or delete proxy accounts. Users who are not members of the sysadmin fixed server role must be added to one of the following SQL Server Agent fixed database roles in the msdb database to use proxies: SQLAgentUserRole, SQLAgentReaderRole, or SQLAgentOperatorRole.
- Requires ALTER ANY CREDENTIAL permission if creating a credential in addition to the proxy.
Using SQL Server Management Studio
- In Object Explorer, click the plus sign to expand the server where you want to create a proxy on SQL Server Agent.
- Click the plus sign to expand SQL Server Agent.
- Right-click the Proxies folder and select New Proxy.
- On the New Proxy Account dialog box, on the General page, enter the name of the proxy account in the Proxy name box.
- In the Credential name box, enter the name of the security credential that the proxy account will use.
- In the Description box, enter a description for the proxy account
- Under Active to the following subsystems, select the appropriate subsystem or subsystems for this proxy.
- On the Principals page, add or remove logins or roles to grant or remove access to the proxy account.
- When finished, click OK.
- In Object Explorer, connect to an instance of Database Engine.
- On the Standard bar, click New Query.
- Copy and paste the following example into the query window and click Execute.
- creates credential CatalogApplicationCredential USE msdb ; GO CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY = 'REDMOND/TestUser', SECRET = 'G3$1o)lkJ8HNd!'; GO - creates proxy "Catalog application proxy" and assigns - the credential 'CatalogApplicationCredential' to it. EXEC dbo.sp_add_proxy @proxy_name = 'Catalog application proxy', @enabled = 1, @description = 'Maintenance tasks on catalog application.', @credential_name = 'CatalogApplicationCredential' ; GO - grants the proxy "Catalog application proxy" access to - the ActiveX Scripting subsystem. EXEC dbo.sp_grant_proxy_to_subsystem @proxy_name = N'Catalog application proxy', @subsystem_id = 2 ; GO