Permissions

For general requirements for permissions that must be provided to the user account to install and work with Veeam Backup & Replication, see the Permissions section in the Veeam Backup & Replication User Guide. In addition to general port requirements, for the Veeam Agent management scenarios the following permissions must be provided .

Keep in mind that the list of required permissions differs depending on the functionality that you use. Make sure that user accounts have permissions listed in the following subsections:

Permissions for Backup of Cloud Machines
Permissions for Backup to Object Storage
Permissions for Guest Processing

NOTE

If you plan to back up data using a direct connection between the Veeam Agent computer and object storage, consider the access permissions in Access Permissions for Direct Connection to Object Storage.

Permissions for Backup of Cloud Machines

The list of permissions differs depending on the type of the cloud machines you plan to back up:

Microsoft Azure virtual machines
Amazon EC2 instances

Microsoft Azure Virtual Machines

If you want to back up Microsoft Azure virtual machines, a Microsoft Azure Compute Account that you use must have the following permissions:

{
"actions": [
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Compute/virtualMachines/runCommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}

The permissions are assigned in the following ways:

If you use an existing Microsoft Azure Compute Account, make sure to assign the required permissions.
If you create a new Microsoft Azure Compute Account with Veeam Backup & Replication, the required permissions are assigned to the newly created account automatically.

To learn more, see the Microsoft Azure Compute Accounts section in the Veeam Backup & Replication User Guide.

Amazon EC2 Instances

If you want to back up Amazon EC2 instances, make sure the user account that you use has the following permissions:

{
"ssm:SendCommand",
"ssm:DescribeInstanceInformation",
"ssm:UpdateManagedInstanceRole",
"ssm:GetCommandInvocation",
"iam:GetRole",
"iam:PassRole",
"iam:AddRoleToInstanceProfile",
"iam:CreateRole",
"iam:CreateInstanceProfile",
"iam:AttachRolePolicy",
"iam:SimulatePrincipalPolicy",
"ec2:DescribeInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:DescribeIamInstanceProfileAssociations",
"sqs:*"
}

Permissions for Backup to Object Storage

The general permissions for backup to object storage are listed in the Using Object Storage Repositories section in the Veeam Backup & Replication User Guide. Additional permissions are required for object storage in the Veeam Agent management infrastructure. The list of additional permissions differs depending on the selected object storage and the way you set your backup infrastructure:

Amazon S3
S3 compatible (including IBM Cloud and Wasabi Cloud)
Google Cloud Storage

Amazon S3

Consider the following:

Make sure the user account you are using has access to Amazon buckets and folders.
The ListAllMyBuckets permission is not required if you specify the bucket name explicitly at the Bucket step of the New Object Repository wizard.
If you plan to use Amazon S3 storage with immutability enabled, see permissions required for immutability in the Using Object Storage Repositories section in the Veeam Backup & Replication User Guide. To learn more about immutability, see Backup Immutability.

Make sure that your infrastructure configuration fits the following description:

You plan to back up data to the Amazon S3 storage.
You selected direct connection in the object storage settings. To learn more, see the Adding Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
"iam:GetPolicyVersion",
"iam:DeleteAccessKey",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:DeletePolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:TagUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:GetUser",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DeletePolicyVersion",
"iam:ListAccessKeys",
"iam:SetDefaultPolicyVersion"
}

S3 Compatible (Including IBM Cloud, Wasabi Cloud)

Consider the following:

Make sure the user account you are using has access to Amazon buckets and folders.
The ListAllMyBuckets permission is not required if you specify the bucket name explicitly at the Bucket step of the New Object Repository wizard.
If you plan to use Amazon S3 storage with immutability enabled, see permissions required for immutability in the Using Object Storage Repositories section in the Veeam Backup & Replication User Guide. To learn more about immutability, see Backup Immutability.

Make sure that your infrastructure configuration fits the following description:

You plan to back up data to the S3 compatible storage.
Direct connection is selected in the object storage settings. To learn more, see the Specify Object Storage Account section in the Veeam Backup & Replication User Guide.

The Provided by IAM/STS object storage capabilities option is selected for the object storage. To learn more, see the Managing Permissions for S3 Compatible Object Storage section in the Veeam Backup & Replication User Guide.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
"iam:GetPolicyVersion",
"iam:DeleteAccessKey",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:DeletePolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:GetUser",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DeletePolicyVersion",
"iam:ListAccessKeys",
"iam:SetDefaultPolicyVersion"
}

Google Cloud Storage

Make sure that your infrastructure configuration fits the following description:

You plan to back up data to the Google Cloud storage.
You configured Helper Appliance in the object storage settings. To learn more, see the Configuring Helper Appliance section in the Veeam Backup & Replication User Guide.
You selected direct connection in the object storage settings. To learn more, see the Specify Object Storage Account section in the Veeam Backup & Replication User Guide.

If you plan to back up data using such infrastructure configuration, make sure the user account that you specify in the Helper Appliance settings has the following permissions:

{
"iam.serviceAccounts.create",
"iam.serviceAccounts.delete",
"iam.serviceAccounts.get",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.setIamPolicy",
"storage.hmacKeys.create",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.list",
"iam.serviceAccounts.list",
"storage.buckets.update",
"storage.hmacKeys.delete",
"storage.hmacKeys.list"
}

Permissions for Guest Processing

To use guest processing, make sure to configure user accounts according to the following requirements.

Consider the following general requirements when choosing a user account:

For Linux computers, choose a user account with root privileges and with the home directory created.
If you plan to perform file indexing for Microsoft Windows computers, choose a user account that has administrator privileges.
If you plan to use guest processing over network for Microsoft Windows computers without listed applications, choose a user account that has administrator privileges.
When using Active Directory accounts, make sure to provide a user account in the DOMAIN\Username format.
When using local user accounts, make sure to provide a user account in the Username or HOST\Username format.
To process a Domain Controller server, make sure that you are using a user account that is a member of the DOMAIN\Administrators group.
To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see Microsoft Docs.

Depending on the application you need to back up, the user must have the permissions listed in the following table:

Application	Required Permission
Microsoft SQL Server	To back up Microsoft SQL Server data, the user whose account you plan to use must be: Local Administrator on the Veeam Agent computer. System administrator (has the Sysadmin role) on the target Microsoft SQL Server. If you need to provide minimal permissions, the user account must be assigned the following roles and permissions: SQL Server instance-level role: public and dbcreator. Database-level roles and roles for the model system database: db_backupoperator, db_denydatareader, public; for the master system database — db_backupoperator, db_datareader, public; for the msdb system database — db_backupoperator, db_datareader, public, db_datawriter. Securables: view any definition, view server state, connect SQL.
Microsoft Active Directory	To back up Microsoft Active Directory data, the user account must be a member of the built-in Administrators group.
Microsoft Exchange	To back up Microsoft Exchange data, the user account must have the local Administrator permissions in Microsoft Exchange.
Oracle	On Microsoft Windows computers To back up Oracle data on a Microsoft Windows computer, the user account must be configured as follows: The user account must be a member of both the Local Administrators group and the ORA_DBA group (if OS authentication is used). The user account must be granted SYSDBA privileges.
Oracle	On Linux computers To back up Oracle data on a Linux computer, the user account must be configured as follows: The user account must be granted SYSDBA privileges. To back up Oracle database archived logs, the user account must have the primary membership in the Oracle Inventory Group (oinstall) group. To learn how to configure the Oracle Inventory Group, see Oracle documentation. Also, consider the following about backup of Oracle data on a Linux computer: You can use either the same account that was specified at the Guest Processing step if such an account is a member of the OSDBA and OINSTALL groups, or you can use any other account that has SYSDBA privileges. For more information about specifying a user account, see Application-Aware Processing. To perform guest processing for Oracle databases on Linux servers, make sure that the /tmp directory is mounted with the exec option. Otherwise, you will get a "Permission denied" error.
Microsoft SharePoint	To back up Microsoft SharePoint server, the user account must have the Farm Administrator role. To back up Microsoft SQL databases of the Microsoft SharePoint Server, the user account must have the same privileges as for the Microsoft SQL Server.
MySQL	To process the MySQL database system, the MySQL user account must have the following privileges: SELECT for all tables. This privilege is required to allow Veeam Agent to access table metadata. To learn more, see MySQL documentation. LOCK TABLES. This privilege is required to allow Veeam Agent to process tables based on the MyISAM storage engine. RELOAD. This privilege is required to allow the MySQL account to perform FLUSH operations.
PostgreSQL	To back up PostgreSQL instances, the user account must have the superuser privileges for the PostgreSQL instance. For more information, see PostgreSQL documentation.