The following rights and permissions are required:
- The user account that you specify for guest processing of the Microsoft SQL Server VM in the backup job should have the sysadmin fixed role assigned on that SQL Server (see the "Creating Backup Jobs>Specify Guest Processing Settings" section of the Veeam Backup & Replication User Guide for details on job configuration). This is the recommended setting; however, if you need to provide minimal permissions to the account performing backup operation, you can assign the following:
- SQL Server instance-level roles: dbcreator and public
- Database-level roles: db_backupoperator, db_denydatareader, public; for system databases:
- master - db_backupoperator, db_datareader, public;
- msdb - db_backupoperator, db_datawriter, db_datareader, public
- Securables: view any definition, view server state
- For truncation of SQL Server 2012 or SQL Server 2014 database transaction logs, this account should have the db_backupoperator database role (minimal required) or the sysadmin server role.
- Make sure that Deny log on locally and Deny log on through Terminal Services are turned OFF for the corresponding account (these can be turned on, in particular, due to group policy settings).
If you want transaction logs to be truncated, note that in case log truncation with the specified account is not a success, Veeam will try to perform it using NT AUTHORITY\SYSTEM account, so for SQL Server 2016, 2014 or 2012 make sure it has sufficient rights (see this Veeam Knowledge Base article for more information).
As for SQL Server 2008 and 2008 R2, default settings in these versions allow for database log truncation by local SYSTEM account (however, if they were modified, make sure this account is permitted to truncate logs).
- The account you will use to access the target Microsoft SQL server where database will be restored needs sysadmin fixed role on that server. (This account you will specify when working with the Restore Wizard, as described later in this guide.)
- The account you plan to use for connection to the Windows machine (where database log backup files will be copied for further log replay) will need sufficient permissions to access the administrative share on that machine: Read and Write are minimal required. For restore scenarios, that machine is your target SQL Server. (To read more about scenarios that require log replay, refer to Planning for Database Restore section.)
- The account used to run Veeam Explorer for Microsoft SQL Server should have sufficient permissions for the folder where you plan to export the database files: Read and Write are minimal recommended.