This is an archive version of the document. To get the most up-to-date information, see the current version.

Required Permissions

In this article

    The accounts used for installing and using Veeam Backup & Replication must have the following permissions:

    Account

    Required Permission

    Setup Account

    The account used for product installation must have the Local Administrator permissions on the target machine.

    Veeam Backup & Replication console permissions

    The account used to start the Veeam Backup & Replication console must have the Local Administrator permissions on the machine where the console is installed.

    To perform file-level restore for Microsoft Windows VMs, the account used to start the Veeam Backup & Replication console must have SeBackupPrivilege and SeRestorePrivilege privileges. In most environments, these privileges are assigned to user accounts added to Local Administrators group. For more information, see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx.

    Veeam Backup Service Account

    The account used to run the Veeam Backup Service must be a Local System account or must have the Local Administrator permissions on the backup server.

    Target/Source Host Permissions

    Root permissions on the source ESX(i) host.

    Root or equivalent permissions on the Linux backup repository.

    Write permission on the target folder and share.

    If VMware vCenter Server is added to the backup infrastructure, an account that has administrator permissions is required. Instead of granting administrator permissions to the account, you can configure more granular permissions. For more information, see the Required Permissions document.

    Microsoft SQL Server

    The account used to run Veeam Backup Service requires db_datareader and db_datawriter roles as well as permissions to execute stored procedures for the configuration database on the Microsoft SQL Server. Alternatively, you can assign db_owner role for this database to the service account.

    The account used to run Veeam Backup Enterprise Manager Service requires db_datareader and db_datawriter roles as well as permissions to execute stored procedures for the Veeam Backup Enterprise Manager configuration database on the Microsoft SQL Server. Alternatively, you can assign db_owner role for this database to the service account.

    Veeam Backup Enterprise Manager

    Local Administrator permissions on the Veeam Backup Enterprise Manager server to install Veeam Backup Enterprise Manager.

    To be able to work with Veeam Backup Enterprise Manager, users must be assigned the Portal Administrator, Restore Operator or Portal User role.

    Veeam Backup Search

    Local Administrator permissions on the Microsoft Search Server to install Veeam Backup Search.

    Veeam Explorer for Microsoft Active Directory

    See https://helpcenter.veeam.com/backup/explorers/vead_permissions.html.

    Veeam Explorer for Microsoft Exchange

    Full access to Microsoft Exchange database and its log files for item recovery. The account that you plan to use for recovery must have both read and write permissions to all files in the folder with the database.

    Access rights can be provided through impersonation, as described in the Configuring Exchange Impersonation article.

    Veeam Explorer for Oracle

    See https://helpcenter.veeam.com/backup/explorers/veo_permissions.html.

    Veeam Explorer for Microsoft SharePoint

    The account used for work with Veeam Explorer for SharePoint requires membership in the sysadmin fixed server role on the staging Microsoft SQL Server.

    The account used for connection with target SharePoint server where document item(s)/list will be restored needs the following:

    • If permissions of the restored item are inherited from the parent item (list) — Full Control for that list is required.
    • If permissions are not inherited, and restored item will replace an existing item — Contribute for the item and Full Control for its parent list are required.

    Transaction logs backup (Microsoft SQL Server)

    The user account that you specify for guest processing of the Microsoft SQL Server VM in the backup job must have the sysadmin fixed role assigned on this Microsoft SQL Server. This is the recommended setting; however, if you need to provide minimal permissions to the account performing the backup operation, you can assign the following roles and permissions:

    • SQL Server instance-level roles: dbcreator and public
    • Database-level roles: db_backupoperator, db_denydatareaderpublic; for system databases (master, model, msdb) — db_backupoperatordb_datareaderpublic
    • Securables: view any definition, view server state