This is an archive version of the document. To get the most up-to-date information, see the current version.Permissions
Make sure the user accounts that you plan to use have permissions described in the following sections.
Installing and Using Veeam Backup & Replication
The accounts used for installing and using Veeam Backup & Replication must have the following permissions.
Account | Required Permission |
|---|---|
Setup Account | The account used for product installation must have the local Administrator permissions on the target machine. |
Veeam Backup & Replication Console Permissions | When you open the Veeam Backup & Replication console for the first time or after a cumulative patch is installed on the backup server, you must run the console under an account with the local Administrator permissions on the machine where the console is installed. In other cases, you can run it under an account that is a member of the Users group on the machine where the console is installed. However, you may require additional permissions to recover guest OS files of Microsoft Windows VMs. [For recovery of Microsoft Windows VM guest OS files] If you plan to save files to a new location, the user who launched the Veeam Backup & Replication console does not have permissions to read and write data to the new location, and the mount point is located on the same machine as the Veeam Backup & Replication console, check that the user has the SeBackupPrivilege and SeRestorePrivilege. For more information on where mount points are created, see Mount Points and Restore Scenarios. Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console. For more information, see Microsoft Docs. |
Veeam Backup Service Account | The account used to run the Veeam Backup Service must be a LocalSystem account or must have the local Administrator permissions on the backup server. |
Microsoft SQL Server | You require different sets of Microsoft SQL permissions in the following cases:
For more information, see Microsoft Docs. |
Using Virtualization Servers and Hosts
The following are required permissions to work with virtualization servers and hosts during data protection tasks.
Role | Required Permission |
|---|---|
Source/Target Host | Root permissions on the ESXi host. If the vCenter Server is added to the backup infrastructure, an account that has administrative permissions is required. |
Windows Server | The user account that you use to add a Microsoft Windows server must be in the local administrators group (on the server being added). |
Linux Server | Permissions for the account that you specify when adding a Linux server differ depending on the role that you plan to assign to this server:
|
SMB Backup Repository | Write permission on the target folder and share. |
To use guest OS processing (application-aware processing, pre-freeze and post-thaw scripts, transaction log processing, guest file indexing and file exclusions), make sure to configure your accounts according to the requirements listed in this section. For more information on guest processing, see Guest Processing.
All user accounts used for guest processing must have the following permissions:
- Logon as a batch job granted
- Deny logon as a batch job not set
Other permissions depend on applications that you back up. You can find permissions for backup operations in the following table. For restore operation permissions, see Required Permissions sections in the Veeam Explorers User Guide.
Application | Required Permission |
|---|---|
To back up Microsoft SQL Server data, the user whose account you plan to use must be:
If you need to provide minimal permissions, the account must be assigned the following roles and permissions:
| |
To back up Microsoft Active Directory data, the account must be a member of the built-in Administrators group. | |
To back up Microsoft Exchange data, the account must have the local Administrator permissions on the machine where Microsoft Exchange is installed. | |
The account specified at the Guest Processing step must be configured as follows:
To back up Oracle databases, make sure the account specified on the Oracle tab has been granted SYSDBA privileges. You can use either the same account that was specified at the Guest Processing step if such an account is a member of the ORA_DBA group for a Windows-based VM and OSASM, OSDBA and OINSTALL groups for a Linux-based VM, or you can use, for example, the SYS Oracle account or any other Oracle account that has been granted SYSDBA privileges. To perform guest processing for Oracle databases on Linux servers, make sure that the /tmp directory is mounted with the exec option. Otherwise, you will get an error with the permission denial. | |
To back up Microsoft SharePoint server, the account must be assigned the Farm Administrator role. To back up Microsoft SQL databases of the Microsoft SharePoint Server, the account must have the same privileges as that of Veeam Explorer for Microsoft SQL Server. |
Consider the following general requirements when choosing a user account:
- [For guest OS file indexing] For Windows-based workloads, choose an account that has administrator privileges. For Linux-based workloads, choose an account of a root user or user elevated to root.
- To use networkless guest processing over VMware VIX/vSphere Web Services, you must specify one of the following accounts at the Guest Processing step of the backup wizard. Check that the account also has permissions listed in the table.
- If Windows User Account Control (UAC) is enabled, specify Local Administrator (MACHINE\Administrator) or Domain Administrator (DOMAIN\Administrator) account.
- If UAC is disabled, specify an account that is a member of the built-in Administrators group.
- For Linux-based VMs, specify a root account.
- [For networkless guest processing over VMware VIX] To be able to perform more than 1000 guest processing operations, the user that you specify for guest processing must be logged into the VM at least once.
- [If you plan to use guest processing over network for workloads without listed applications] For Windows-based workloads, choose an account that has administrator privileges. For Linux-based workloads, choose an account of a root user or user elevated to root.
- When using Active Directory accounts, make sure to provide an account in the DOMAIN\Username format.
- When using local user accounts, make sure to provide an account in the Username or HOST\Username format.
- To process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
- To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see this Microsoft article.
Adding Microsoft Azure Compute Accounts
Microsoft Azure account is required to restore workloads to Microsoft Azure, add Azure archive storage and so on. For more information, see Microsoft Azure Compute Accounts.
The following are permissions required for adding a Microsoft Azure Compute account:
- If you use an Azure Active Directory (AD) application (select the Create a new account option at the Subscription step of the wizard) when adding a Microsoft Azure Compute account, the Microsoft Azure AD user account where the AD application will be created must have the following privileges:
- To register applications. This can be the Global Administrator privileges assigned to the user or the Users can register applications option enabled for the user in Azure portal. For details, see Microsoft Azure Docs.
- To assign a role on the subscription level for the registered application. This can be the Owner role or if the Owner role cannot be used, you can create a custom role with minimal permissions. To learn how to create a custom role, see Creating Custom Role for Azure Account.
- If you use an existing Azure AD user account (select the Use the existing account option at the Subscription step of the wizard) when adding a Microsoft Azure Compute account, this Azure AD user account must have the Contributor role privileges for the selected subscription. If you restore workloads to Microsoft Azure and cannot use the Contributor role, you can create a custom role with minimal permissions. To learn how to create a custom role, see Creating Custom Role for Azure Account.
Adding Microsoft Azure Stack Hub Compute Accounts
A Microsoft Azure Stack Hub compute account is required to restore workloads to Microsoft Azure Stack Hub. For more information, see Microsoft Azure Stack Hub Compute Accounts.
The Azure Stack Hub tenant user account must have the Owner role privileges for the required subscription. If you restore workloads to Microsoft Azure and cannot use the Owner role, you can create a custom role with minimal permissions. To learn how to create a custom role, see Creating Custom Role for Azure Account.
Using Object Storage Repositories
Amazon S3 Object Storage Permissions
Consider the following:
- Make sure the account you are using has access to Amazon buckets and folders.
- The ListAllMyBuckets permission is not required if you specify the bucket name explicitly at the Bucket step of the New Object Repository wizard.
The following are required permissions to use Amazon S3 object storage with immutability disabled.
{ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:GetBucketVersioning" } |
The following are required permissions to use Amazon S3 object storage with immutability enabled. For more information on immutability, see Immutability.
{ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:GetBucketVersioning", "s3:GetBucketObjectLockConfiguration", "s3:ListBucketVersions", "s3:GetObjectVersion", "s3:GetObjectRetention", "s3:GetObjectLegalHold", "s3:PutObjectRetention", "s3:PutObjectLegalHold", "s3:DeleteObjectVersion" } |
For example, see this Veeam KB article. For more information on permissions, see this Amazon article.
Google Cloud Object Storage Permissions
Consider the following: the storage.buckets.list permission is not required if you specify the bucket name explicitly at the Bucket step of the New Object Repository wizard.
Note |
The Owner IAM role does not necessarily grant the permissions required for working with Google Cloud Storage. |
The following are required permissions to use Google Cloud object storage.
{ "storage.buckets.get", "storage.buckets.list", "storage.objects.create", "storage.objects.delete", "storage.objects.get", "storage.objects.list" } |
Amazon S3 Glacier Storage Permissions
Permissions for Amazon S3 Glacier depend on whether you use the storage with immutability enabled or disabled.
The following are required permissions to use Amazon S3 Glacier object storage with disabled immutability.
- With VPC, subnet and security group set as Create new
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:ListBucket", "s3:AbortMultipartUpload", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:DescribeKeyPairs", "ec2:RunInstances", "ec2:DeleteKeyPair", "ec2:DescribeVpcAttribute", "ec2:CreateTags", "ec2:DescribeSubnets", "ec2:TerminateInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:DescribeAvailabilityZones", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:ModifyVpcAttribute", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeRouteTables", "ec2:DescribeInstanceTypes" ], "Resource": "*" } ] } |
- With preconfigured VPC, subnet and security group
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:ListBucket", "s3:AbortMultipartUpload", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:DescribeKeyPairs", "ec2:RunInstances", "ec2:DeleteKeyPair", "ec2:DescribeVpcAttribute", "ec2:CreateTags", "ec2:DescribeSubnets", "ec2:TerminateInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVpcs" ], "Resource": "*" } ] } |
The following are required permissions to use Amazon S3 object storage with immutability enabled.
- With VPC, subnet and security group set as Create new
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:ListBucket", "s3:AbortMultipartUpload", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "s3:PutObjectRetention", "s3:GetObjectVersion", "s3:PutObjectLegalHold", "s3:GetObjectRetention", "s3:DeleteObjectVersion", "s3:ListBucketVersions", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:DescribeKeyPairs", "ec2:RunInstances", "ec2:DeleteKeyPair", "ec2:DescribeVpcAttribute", "ec2:CreateTags", "ec2:DescribeSubnets", "ec2:TerminateInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:DescribeAvailabilityZones", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:ModifyVpcAttribute", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeRouteTables", "ec2:DescribeInstanceTypes" ], "Resource": "*" } ] } |
- With preconfigured VPC, subnet and security group
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:PutObject", "s3:GetObject", "s3:RestoreObject", "s3:ListBucket", "s3:AbortMultipartUpload", "s3:GetBucketVersioning", "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketObjectLockConfiguration", "s3:PutObjectRetention", "s3:GetObjectVersion", "s3:PutObjectLegalHold", "s3:GetObjectRetention", "s3:DeleteObjectVersion", "s3:ListBucketVersions", "ec2:DescribeInstances", "ec2:CreateKeyPair", "ec2:DescribeKeyPairs", "ec2:RunInstances", "ec2:DeleteKeyPair", "ec2:DescribeVpcAttribute", "ec2:CreateTags", "ec2:DescribeSubnets", "ec2:TerminateInstances", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeVpcs" ], "Resource": "*" } ] } |
Azure Archive Object Storage Permissions
The following are required permissions to use Azure Archive object storage.
{ "properties": { "roleName": "CUSTOM_ROLE_MINIMAL_PERMISSIONS", "description": "CUSTOM_ROLE_MINIMAL_PERMISSIONS", "assignableScopes": [ "/subscriptions/111111-1111-1111-0000-00000000000" ], "permissions": [ { "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/locations/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Network/locations/*", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/publicIPAddresses/write", "Microsoft.Network/publicIPAddresses/delete", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/checkResourceName/action", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Resources/subscriptions/locations/read" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] } } |
NetApp Data ONTAP/Lenovo Thinksystem DM Permissions
The account used to connect to a NetApp Data ONTAP/Lenovo Thinksystem DM storage system must have the following permissions:
7-Mode
- login-http-admin
- api-system-*
- api-license-* (api-license-list-info)
- api-volume-*
- api-net-*
- api-options-*
- api-vfiler-*
- api-qtree-*
- api-nfs-*
- api-snapshot-*
- api-lun-*
- api-iscsi-*
- api-feature-*
- api-registry-*
- api-fcp-*
- api-file-*
- api-igroup-*
- api-clone-*
- api-snapvault-*
- api-snapmirror-*
- api-cf-*
- cli-options
- security-api-vfiler
CDOT (VMware Integration)
Command/Directory | Access/Query Level |
|---|---|
DEFAULT | readonly |
cluster | readonly |
metrocluster | readonly |
fcp | readonly |
file | readonly |
igroup | all |
iscsi | all |
network | readonly |
node | readonly |
security | readonly |
security login | readonly |
set | readonly |
snapmirror | all |
system | readonly |
version | readonly |
qtree | readonly |
lun | all |
nfs | all |
snapshot | all |
volume | all |
vserver | all |
Only as SVM (VMware Integration)
Command/Directory | Access/Query Level |
|---|---|
DEFAULT | none |
lun | all |
lun igroup | all |
network | readonly |
security | readonly |
security login | readonly |
snapmirror | all |
system | readonly |
version | readonly |
volume | all |
volume file | readonly |
volume qtree | all |
volume snapshot | all |
vserver | all |
vserver fcp | all |
vserver iscsi | all |
vserver nfs | all |
CDOT (NAS Backup Integration)
Command/Directory | Access/Query Level |
|---|---|
DEFAULT | readonly |
security | readonly |
security login | readonly |
volume snapshot | all |
vserver | all |
vserver nfs | all |
Only as SVM (NAS Backup Integration)
Command/Directory | Access/Query Level |
|---|---|
DEFAULT | none |
lun | readonly |
network | readonly |
security | readonly |
security login | readonly |
snapmirror | readonly |
version | readonly |
volume | readonly |
volume snapshot | all |
vserver | all |
CDOT (Veeam Agent Integration)
Command/Directory | Access/Query Level |
|---|---|
cluster | readonly |
lun | all |
metrocluster | readonly |
network | readonly |
system license | readonly |
system node | readonly |
version | readonly |
volume | all |
volume snapshot | all |
vserver | all |
Only as SVM (Veeam Agent Integration)
Command/Directory | Access/Query Level |
|---|---|
lun | all |
network | readonly |
version | readonly |
volume | all |
volume snapshot | all |
vserver | all |
Universal Storage API Integrated Systems Permissions
The account used to connect to a Universal Storage API integrated system must be assigned a necessary role in the storage system console and/or have a set of necessary permissions.
- For Dell EMC PowerMax, the account must be assigned the Storage Administrator role.
- For Fujitsu ETERNUS, the account must be assigned the Software role.
- For NetApp SolidFire/HCI, the account must have the following permissions:
- Volumes
- Cluster Admins
- For Western Digital IntelliFlash, the account must be assigned the Veeam Admin Role.
- For DataCore, the account must have the following permissions:
- General
- Port
- Host
- Virtual disk
- Snapshot
- Physical disk
- For Hitachi VSP, the account must be assigned the following roles:
- Storage Administrator (View Only)
- Storage Administrator (Provisioning)
- Storage Administrator (Local Copy)
- For HPE XP, the account must be assigned the following roles:
- Storage Administrator (View Only)
- Storage Administrator (Provisioning)
- Storage Administrator (Local Copy)
- For Dell EMC PowerStore, the account must be assigned the following roles:
- Administrator
- Storage Administrator
- Storage Operator
- For NEC Storage M Series, the account must be assigned the Administrator role.
- For NEC Storage V Series, the account must be assigned the following roles:
- Storage Administrator (View Only)
- Storage Administrator (Provisioning)
- Storage Administrator (Local Copy)
For privileges required to integrate the NAS backup feature with Dell EMC Isilon/PowerScale, see Integration with Dell EMC Isilon/PowerScale in the NAS Backup Support section.
For storage systems not mentioned above, the account must have Administrator role.
Related Topics
For permissions required for Veeam Backup Enterprise Manager, see Required Permissions in the Enterprise Manager User Guide.