Create a SQL Server Agent proxy

Applies to: SQL Server

This topic describes how to create a SQL Server Agent proxy in SQL Server by using SQL Server Management Studio or Transact-SQL.

A SQL Server Agent proxy account defines a security context in which a job step can run. Each proxy corresponds to a security credential. To set permissions for a particular job step, create a proxy that has the required permissions for a SQL Server Agent subsystem, and then assign that proxy to the job step.

On Azure SQL Managed Instance, most, but not all SQL Server Agent features are currently supported. See Azure SQL Managed Instance T-SQL differences from SQL Server or SQL Agent job limitations in SQL Managed Instance for details.

Before You Begin

Limitations and Restrictions

  • You must create a credential before you create a proxy if one is not already available.

  • SQL Server Agent proxies use credentials to store information about Windows user accounts. The user specified in the credential must have "Access this computer from the network" permission (SeNetworkLogonRight) on the computer on which SQL Server is running.

  • SQL Server Agent checks subsystem access for a proxy and gives access to the proxy each time the job step runs. If the proxy no longer has access to the subsystem, the job step fails. Otherwise, SQL Server Agent impersonates the user that is specified in the proxy and runs the job step. For a list of proxy subsystems, see sp_grant_proxy_to_subsystem.

  • Creation of a proxy does not change the permissions for the user that is specified in the credential for the proxy. For example, you can create a proxy for a user that does not have permission to connect to an instance of SQL Server. In this case, job steps that use that proxy are unable to connect to SQL Server.

  • If the login for the user has access to the proxy, or the user belongs to any role with access to the proxy, the user can use the proxy in a job step.

Security

Permissions

  • Only members of the sysadmin fixed server role have permission to create, modify, or delete proxy accounts. Users who are not members of the sysadmin fixed server role must be added to one of the following SQL Server Agent fixed database roles in the msdb database to use proxies: SQLAgentUserRole, SQLAgentReaderRole, or SQLAgentOperatorRole.

  • Requires ALTER ANY CREDENTIAL permission if creating a credential in addition to the proxy.

Use SQL Server Management Studio (SSMS)

To create a SQL Server Agent proxy

  1. In Object Explorer, select the plus sign to expand the server where you want to create a proxy on SQL Server Agent.

  2. Select the plus sign to expand SQL Server Agent.

  3. Right-click the Proxies folder and select New Proxy.

  4. On the New Proxy Account dialog box, on the General page, enter the name of the proxy account in the Proxy name box.

  5. In the Credential name box, enter the name of the security credential that the proxy account will use.

  6. In the Description box, enter a description for the proxy account

  7. Under Active to the following subsystems, select the appropriate subsystem or subsystems for this proxy.

  8. On the Principals page, add or remove logins or roles to grant or remove access to the proxy account.

  9. When finished, select OK.

Use Transact-SQL

To create a SQL Server Agent proxy

  1. In Object Explorer, connect to an instance of Database Engine.

  2. On the Standard bar, select New Query.

  3. The following script creates a credential called CatalogApplicationCredential, creates proxy Catalog application proxy and assigns the credential CatalogApplicationCredential to it, and grants the proxy access to the ActiveX Scripting subsystem. Copy and paste the following example into the query window and select Execute.

    -- creates credential CatalogApplicationCredential  
    USE msdb ;  
    GO  
    CREATE CREDENTIAL CatalogApplicationCredential WITH IDENTITY = 'REDMOND/TestUser',   
        SECRET = 'G3$1o)lkJ8HNd!';  
    GO  
    -- creates proxy "Catalog application proxy" and assigns
    -- the credential 'CatalogApplicationCredential' to it.  
    EXEC dbo.sp_add_proxy  
        @proxy_name = 'Catalog application proxy',  
        @enabled = 1,  
        @description = 'Maintenance tasks on catalog application.',  
        @credential_name = 'CatalogApplicationCredential' ;  
    GO  
    -- grants the proxy "Catalog application proxy" access to 
    -- the ActiveX Scripting subsystem.  
    EXEC dbo.sp_grant_proxy_to_subsystem  
        @proxy_name = N'Catalog application proxy',  
        @subsystem_id = 2 ;  
    GO  
    

Next steps