Required Permissions - Veeam Backup Explorers Guide
Help Center
Choose product document...
Veeam Backup & Replication 9.5
Veeam Backup Explorers User Guide

Required Permissions

Make sure the accounts you are going to use for application-aware processing of Microsoft SQL servers meet the following requirements:

  • The user account that you specify for guest processing of the Microsoft SQL Server VM in the backup job must have the sysadmin fixed role assigned on the target SQL Server. For more information, see the Specify Guest Processing Settings section of the Veeam Backup & Replication User Guide.

If you need to provide minimum permissions for the account to perform backup operations, assign the following:

  • SQL Server instance-level roles: dbcreator and public
  • Database-level roles: db_backupoperator, db_denydatareader, public

For system databases:

  • master - db_backupoperator, db_datareader, public
  • msdb - db_backupoperator, db_datawriter, db_datareader, public
  • Securables: view any definition, view server state
  • For truncation of SQL Server 2012 or SQL Server 2014 database transaction logs, the account must have the db_backupoperator database role (minimum required) or the sysadmin server role.

For more information on how you can add accounts to database roles, see this Microsoft article.

  • Make sure the account used for application-aware processing has the following security policies applied:
  • Logon as a batch job granted.
  • Deny logon as a batch job not set.

For more information on group policy settings, see this Microsoft article. To learn how to configure user rights using policies, see the Assigning User Rights section of this Microsoft article.

Required Permissions Note:

When using Veeam Backup & Replication Update 3 or any previous version of the solution, ensure the following:

  • The account you are using does have both Allow log on locally and Allow log on through Terminal Services policies applied.
  • The account you are using does NOT have Deny log on locally and Deny log on through Terminal Services policies applied.

  • The account requires the sysadmin fixed role to access the target Microsoft SQL server.
  • The account requires minimum Read and Write permissions to access the administrative share on a target machine where database log backup files will be copied for log replay. For more information on scenarios that require log replay, see Planning for Database Restore.
  • The account that is used to run Veeam Explorer for Microsoft SQL Server requires minimum Read and Write permissions to access the directory to which you plan to export your database files.

Required Permissions Note:

If the log truncation routine fails with the specified account, Veeam will use the NT AUTHORITY\SYSTEM account. For more information on required permissions for SQL Server 2016, 2014 or 2012, see this Veeam Knowledge Base article. When using SQL Server 2008 and 2008 R2, then, by default, the local SYSTEM account will be used for database log truncation.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation