Permissions

For general requirements for permissions that must be provided to the user account to install and work with Veeam Backup & Replication, see the Permissions section in the Veeam Backup & Replication User Guide. In addition to general port requirements, for the Veeam Agent management scenarios the following permissions must be provided .

Keep in mind that the list of required permissions differs depending on the functionality that you use. Make sure that user accounts have permissions listed in the following subsections:

NOTE

If you plan to back up data using a direct connection between the Veeam Agent computer and object storage, consider the access permissions in Access Permissions for Direct Connection to Object Storage.

 

Permissions for Backup of Cloud Machines

The list of permissions differs depending on the type of the cloud machines you plan to back up:

Microsoft Azure Virtual Machines

If you want to back up Microsoft Azure virtual machines, a Microsoft Azure Compute Account that you use must have the following permissions:

{
 "actions": [
   "Microsoft.Compute/virtualMachines/instanceView/read",
   "Microsoft.Compute/virtualMachines/read",
   "Microsoft.Compute/virtualMachines/runCommand/action",
   "Microsoft.Resources/subscriptions/locations/read",
   "Microsoft.Storage/storageAccounts/read"
 ],
   "notActions": [],
   "dataActions": [],
   "notDataActions": []
}

The permissions are assigned in the following ways:

To learn more, see the Microsoft Azure Compute Accounts section in the Veeam Backup & Replication User Guide.

Amazon EC2 Instances

If you want to back up Amazon EC2 instances, make sure the user account that you use has the following permissions:

{
 "ec2:AssociateIamInstanceProfile",
 "ec2:DescribeIamInstanceProfileAssociations",
 "ec2:DescribeInstances",
 "iam:AddRoleToInstanceProfile",
 "iam:AttachRolePolicy",
 "iam:CreateInstanceProfile",
 "iam:CreateRole",
 "iam:GetRole",
 "iam:PassRole",
 "iam:SimulatePrincipalPolicy",
 "sqs:*",
 "ssm:DescribeInstanceInformation",
 "ssm:GetCommandInvocation",
 "ssm:SendCommand",
 "ssm:UpdateManagedInstanceRole"
}

Permissions for Backup to Object Storage

The general permissions for backup to object storage are listed in the Using Object Storage Repositories section in the Veeam Backup & Replication User Guide. Additional permissions are required for object storage in the Veeam Agent management infrastructure. The list of additional permissions differs depending on the selected object storage and the way you set your backup infrastructure:

Amazon S3

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the Amazon S3 storage.
  • You selected direct connection in the object storage settings. To learn more, see the Adding Amazon S3 Object Storage section in the Veeam Backup & Replication User Guide.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion",
 "iam:TagUser"
}

S3 Compatible (Including IBM Cloud, Wasabi Cloud)

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the S3 compatible storage.
  • Direct connection is selected in the object storage settings. To learn more, see the Specify Object Storage Account section in the Veeam Backup & Replication User Guide.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion"
}

 

 

Google Cloud Storage

Make sure that your infrastructure configuration fits the following description:

If you plan to back up data using such infrastructure configuration, make sure the user account that you specify in the Helper Appliance settings has the following permissions:

{
 "iam.serviceAccounts.create",
 "iam.serviceAccounts.delete",
 "iam.serviceAccounts.get",
 "iam.serviceAccounts.list",
 "storage.buckets.get",
 "storage.buckets.getIamPolicy",
 "storage.buckets.list",
 "storage.buckets.setIamPolicy",
 "storage.buckets.update",
 "storage.hmacKeys.create",
 "storage.hmacKeys.delete",
 "storage.hmacKeys.get",
 "storage.hmacKeys.list",
 "storage.objects.create",
 "storage.objects.delete",
 "storage.objects.get",
 "storage.objects.list"
}

Permissions for Guest Processing

To use guest processing, make sure to configure user accounts according to the following requirements.

Consider the following general requirements when choosing a user account:

Depending on the application you need to back up, the user must have the permissions listed in the following table:

Application

Required Permission

Microsoft SQL Server

To back up Microsoft SQL Server data, the user whose account you plan to use must be:

  • Local Administrator on the Veeam Agent computer.
  • System administrator (has the Sysadmin role) on the target Microsoft SQL Server.

If you need to provide minimal permissions, the user account must be assigned the following roles and permissions:

  • SQL Server instance-level role: public and dbcreator.
  • Database-level roles and roles for the model system database: db_backupoperator, db_denydatareader, public;
    for the master system database — db_backupoperator, db_datareader, public;
    for the msdb system database — db_backupoperator, db_datareader, public, db_datawriter.
  • Securables: view any definition, view server state, connect SQL.

Microsoft Active Directory

To back up Microsoft Active Directory data, the user account must be a member of the built-in Administrators group.

Microsoft Exchange

To back up Microsoft Exchange data, the user account must have the local Administrator permissions in Microsoft Exchange.

Oracle

On Microsoft Windows computers

To back up Oracle data on a Microsoft Windows computer, the user account must be configured as follows:

  • The user account must be a member of both the Local Administrators group and the ORA_DBA group (if OS authentication is used).
  • The user account must be granted SYSDBA privileges.

On Linux computers

To back up Oracle data on a Linux computer, the user account must be configured as follows:

  • The user account must be granted SYSDBA privileges.
  • To back up Oracle database archived logs, the user account must have the primary membership in the Oracle Inventory Group (oinstall) group. To learn how to configure the Oracle Inventory Group, see Oracle documentation.

Also, consider the following about backup of Oracle data on a Linux computer:

  • You can use either the same account that was specified at the Guest Processing step if such an account is a member of the OSDBA and OINSTALL groups, or you can use any other account that has SYSDBA privileges. For more information about specifying a user account, see Application-Aware Processing.
  • To perform guest processing for Oracle databases on Linux servers, make sure that the /tmp directory is mounted with the exec option. Otherwise, you will get a "Permission denied" error.

Microsoft SharePoint

To back up Microsoft SharePoint server, the user account must have the Farm Administrator role.

To back up Microsoft SQL databases of the Microsoft SharePoint Server, the user account must have the same privileges as for the Microsoft SQL Server.

MySQL

To process the MySQL database system, the MySQL user account must have the following privileges:

  • SELECT for all tables. This privilege is required to allow Veeam Agent to access table metadata. To learn more, see MySQL documentation.
  • LOCK TABLES. This privilege is required to allow Veeam Agent to process tables based on the MyISAM storage engine.
  • RELOAD. This privilege is required to allow the MySQL account to perform FLUSH operations.

PostgreSQL

To back up PostgreSQL instances, the user account must have the superuser privileges for the PostgreSQL instance. For more information, see PostgreSQL documentation.