When planning for user accounts for installing/upgrading and using Veeam Backup Enterprise Manager and its components, make sure the following permissions are set.
Veeam Backup Enterprise Manager
Account used to run the setup
To install Enterprise Manager, current account (the account under which you run the setup) should have Local Administrator permissions on the Veeam Backup Enterprise Manager server.
To create a new Enterprise Manager database during the setup, current account needs CREATE ANY DATABASE permission on the SQL server level. After database creation this account automatically gets a db_owner role and can perform all operations with the database.
Note: If the database is created in advance (by a database administrator or SQL server administrator), the setup account should have a db_owner role for it.
To upgrade an existing Enterprise Manager database, current account should have sufficient permissions for that database. To grant these permissions through role assignment, it is recommended that you use the account with db_owner role.
Veeam Backup Enterprise Manager service account
It is recommended to use the Local System account as the Veeam Backup Enterprise Manager Service account. Alternatively, if you set another account to run this service, make sure it meets the requirements listed below.
Local Administrator rights for the Veeam Backup Enterprise Manager server. (The Log on as service right will be automatically granted to user account you specify.)
Db_datareader and db_datawriter roles, as well as permissions to execute stored procedures for the Enterprise Manager database on the Microsoft SQL Server. Alternatively, you can assign this account the db_owner role for the Enterprise Manager database.
Full Control NTFS permissions for the VBRCatalog or other folder where index files are stored.
If you plan to add Active Directory user or group accounts to the list of Veeam Backup Enterprise Manager roles, the Veeam Backup Enterprise Manager service must be started under the Active Directory service account that has enough permissions to enumerate Active Directory domains. Otherwise (if the local machine account is used), you will get the "Cannot find user account DOMAIN\username" error.
Note: By default, Active Directory users have enough permissions to enumerate Active Directory domains.
Enterprise Manager user
To be able to work with Veeam Backup Enterprise Manager web UI, users should be assigned the Portal Administrator, Portal User or Restore Operator role (see Configuring Security Settings section of this guide).
vSphere Web Client Plug-in for Veeam Backup & Replication (optional)
Account used to install the plug-in must have sufficient access rights for vCenter server (must belong to the same domain in case of cross-domain access):
Extension > Register extension - to install the plug-in
Extension > Unregister extension - to uninstall the plug-in
Veeam Backup Search Server (optional, used for compatibility with legacy deployments)
Local Administrator permissions on the Veeam Backup Search Server console to install Microsoft Search Server and the Veeam Backup Search component.