We're creating a Domain account to run our Merge Agent under, and we're trying to determine what NT permissions it requires. I can't seem to find a definitive list anywhere. Our replication configuration is:
Publisher: SQL 2008
Subscriber: SQL 2005
Replication Type: Merge
Subscription Type: Pull
Snapshot location: Network share on publisher
It works when we run the Merge Agent as my account, but that has administrative permissions on both the Publisher and Subscriber, as well as a host of other machines on the network. We'd like to exercise the Principle of Least Privilege, so I'm looking for the minimum privileges necessary. Thanks in advance for the help!
UPDATE: Well, for now we've followed mrdenny's advice and gave the account Full Control and DBO access. I'd still be interested in the minimum privileges necessary. I can't imagine that we're the first people to need this…
Best Answer
I know I'm late to the party....
The Windows account under which the agent runs is used when it makes connections to the Subscriber. This account must at minimum be a member of the db_owner fixed database role in the subscription database.
The account that is used to connect to the Publisher and Distributor must: -Be a member of the PAL. -Be a login associated with a user in the publication database. -Be a login associated with a user in the distribution database. The user can be the Guest user. -Have read permissions on the snapshot share.
These are the minimums. See http://msdn.microsoft.com/en-us/library/ms151868.aspx