0

I am trying to clone a SQL database from a managed instance to another managed instance. And I am using Point In Time Restore to do so. The identity used to perform this action has "Reader" role for the instance of source database and "Contributor" role for the instance of the target database.

However, I am getting the following error:

The client {...} with object id {...} has permission to perform action 'Microsoft.Sql/managedInstances/databases/write' on scope {target instance} however, it does not have permission to perform action 'Microsoft.Sql/managedInstances/databases/write' on the linked scope(s) {source instance} or the linked scope(s) are invalid.

Why would it need write permission on the source instance?

John L.
  • 1,825
  • 5
  • 18
  • 45

1 Answers1

1

This is by design. Higher level permissions are required to prevent data exfiltration. Typically, R/O permission is considered a very low level, given for reporting, etc., whereases R/W permissions are given to more carefully selected individuals. Therefore, this is to prevent someone with super-low permissions to be able to copy an entire database over. This is a typical design pattern for all data movement operations, to require higher permissions on the source, implicitly requiring more trust to such user. Hope this clarifies it.

Oury-MSFT
  • 181
  • 3
  • Thanks for the clarification but I totally disagree with the reasoning. This forces admins to grant write permission on the source for just a restore operation and this is much more dangerous I think. I hope MS will reconsider this. – John L. Mar 01 '22 at 21:42