Revise Distribution Agent security model for pull subscription

Updated security requirements for Distribution Agent in pull subscription.

Author: JamesFerebee

docs/relational-databases/replication/security/replication-agent-security-model.md

@@ -3,7 +3,7 @@ title: "Replication Agent Security Model"
 description: In SQL Server, the replication agent security model allows for fine-grained control over the accounts under which replication agents run and make connections.
 author: "MashaMSFT"
 ms.author: "mathoma"
-ms.date: 09/25/2024
+ms.date: 10/01/2025
 ms.service: sql
 ms.subservice: replication
 ms.topic: how-to
@@ -52,8 +52,8 @@ The replication agent security model is a little bit different for Azure SQL Man
 |-----------|-----------------|  
 |Snapshot Agent|The Windows account under which the agent runs is used when it makes connections to the Distributor. This account must:<br /><br /> -At minimum, be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> -Have read, write, and modify permissions on the snapshot share.<br /><br /> <br /><br /> Note that the account that is used to *connect* to the Publisher must at minimum be a member of the **db_owner** fixed database role in the publication database.|  
 |Log Reader Agent|The Windows account under which the agent runs is used when it makes connections to the Distributor. This account must at minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> The account that is used to connect to the Publisher must at minimum be a member of the **db_owner** fixed database role in the publication database.<br /><br /> When selecting the **sync_type** options *replication support only*, *initialize with backup*, or *initialize from lsn*, the log reader agent must run after executing **sp_addsubscription**, so that the set-up scripts are written to the distribution database. The log reader agent must be running under an account that is a member of the **sysadmin** fixed server role. When the **sync_type** option is set to *Automatic*, no special log reader agent actions are required.|  
-|Distribution Agent for a push subscription|The Windows account under which the agent runs is used when it makes connections to the Distributor. This account must:<br /><br /> -At minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> -Be a member of the PAL.<br /><br /> -Have read permissions on the snapshot share.<br /><br /> -Have read permissions on the installation directory of the OLE DB provider for the Subscriber if the subscription is for a non-SQL Server Subscriber.<br /><br /> -When replicating LOB data, the distribution agent must have write permissions on the replication **C:\Program Files\Microsoft SQL Server\XX\COMfolder** where XX represents the instanceID.<br /><br /> <br /><br /> Note that the account that is used to *connect* to the Subscriber must at minimum be a member of the **db_owner** fixed database role in the subscription database, or have equivalent permissions if the subscription is for a non-SQL Server Subscriber.<br /><br /> Also note that when using `-subscriptionstreams >= 2` on the distribution agent you must also grant the **View Server State** permission on the subscribers to detect deadlocks.|  
-|Distribution Agent for a pull subscription|The Windows account under which the agent runs is used when it makes connections to the Subscriber. This account must at minimum be a member of the **db_owner** fixed database role in the subscription database. The account that is used to connect to the Distributor must:<br /><br /> -Be a member of the PAL.<br /><br /> -Have read permissions on the snapshot share.<br /><br /> -When replicating LOB data, the distribution agent must have write permissions on the replication **C:\Program Files\Microsoft SQL Server\XX\COMfolder** where XX represents the instanceID.<br /><br /> <br /><br /> Note that when using `-subscriptionstreams >= 2` on the distribution agent you must also grant the **View Server State** permission on the subscribers to detect deadlocks.|  
+|Distribution Agent for a push subscription|The Windows account under which the agent runs is used when it makes connections to the Distributor. This account must:<br /><br /> -At minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> -Be a member of the PAL.<br /><br /> -Have read permissions on the snapshot share.<br /><br /> -Have read permissions on the installation directory of the OLE DB provider for the Subscriber if the subscription is for a non-SQL Server Subscriber.<br /><br /> -When replicating LOB data, the distribution agent must have write permissions on the replication **C:\Program Files\Microsoft SQL Server\XX\COM** folder where XX represents the instanceID.<br /><br /> <br /><br /> Note that the account that is used to *connect* to the Subscriber must at minimum be a member of the **db_owner** fixed database role in the subscription database, or have equivalent permissions if the subscription is for a non-SQL Server Subscriber.<br /><br /> Also note that when using `-subscriptionstreams >= 2` on the distribution agent you must also grant the **View Server State** permission on the subscribers to detect deadlocks.|  
+|Distribution Agent for a pull subscription|The Windows account under which the agent runs is used when it makes connections to the Subscriber. This account must: <br /><br /> -At minimum be a member of the **db_owner** fixed database role in the subscription database. <br /><br /> The account that is used to connect to the Distributor must:<br /><br />-At minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> -Be a member of the PAL.<br /><br /> -Have read permissions on the snapshot share.<br /><br /> -When replicating LOB data, the distribution agent must have write permissions on the replication **C:\Program Files\Microsoft SQL Server\XX\COM** folder where XX represents the instanceID.<br /><br /> <br /><br /> Note that when using `-subscriptionstreams >= 2` on the distribution agent you must also grant the **View Server State** permission on the subscribers to detect deadlocks.|  
 |Merge Agent for a push subscription|The Windows account under which the agent runs is used when it makes connections to the Publisher and Distributor. This account must:<br /><br /> -At minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> -Be a member of the PAL.<br /><br /> -Be a login that is associated with a user with read/write permissions in the publication database.<br /><br /> -Have read permissions on the snapshot share.<br /><br /> <br /><br /> Note that the account used to *connect* to the Subscriber must at minimum be a member of the **db_owner** fixed database role in the subscription database.|  
 |Merge Agent for a pull subscription|The Windows account under which the agent runs is used when it makes connections to the Subscriber. This account must at minimum be a member of the **db_owner** fixed database role in the subscription database. The account that is used to connect to the Publisher and Distributor must:<br /><br /> -Be a member of the PAL.<br /><br /> -Be a login associated with a user with read/write permissions in the publication database.<br /><br /> -Be a login associated with a user in the distribution database. The user can be the **Guest** user.<br /><br /> -Have read permissions on the snapshot share.|  
 |Queue Reader Agent|The Windows account under which the agent runs is used when it makes connections to the Distributor. This account must at minimum be a member of the **db_owner** fixed database role in the distribution database.<br /><br /> The account that is used to connect to the Publisher must at minimum be a member of the **db_owner** fixed database role in the publication database.<br /><br /> The account that is used to connect to the Subscriber must at minimum be a member of the **db_owner** fixed database role in the subscription database.|