Required Permissions

In this article

    Make sure the user accounts that you plan to use have permissions described in the following sections.

    Installing and Using Veeam Backup & Replication

    The accounts used for installing and using Veeam Backup & Replication must have the following permissions.

    Account

    Required Permission

    Setup Account

    The account used for product installation must have the local Administrator permissions on the target machine.

    Veeam Backup & Replication Console Permissions

    When you open the Veeam Backup & Replication console for the first time or after a cumulative patch is installed on the backup server, you must run the console under an account with the local Administrator permissions on the machine where the console is installed. In other cases (except file-level restore), you can run it under an account that is a member of the Users group on the machine where the console is installed.

    To perform file-level restore for Microsoft Windows VMs, the account must have the following permissions and privileges:

    • Local Administrator permissions to start the Veeam Backup & Replication console
    • SeBackupPrivilege and SeRestorePrivilege to connect to the Veeam backup server and start the restore process

    In most environments, SeBackupPrivilege and SeRestorePrivilege are assigned to user accounts added to the Administrators group. For more information, see Microsoft Docs.

    Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console. For more information, see Microsoft Docs.

    Veeam Backup Service Account

    The account used to run the Veeam Backup Service must be a LocalSystem account or must have the local Administrator permissions on the backup server.

    Microsoft SQL Server
    (where the configuration database is stored)

    You require different sets of Microsoft SQL permissions in the following cases:

    • Installation (remote or local): current account needs CREATE ANY DATABASE permission on the SQL server level. After database creation this account automatically gets a db_owner role and can perform all operations with the database. If the current account does not have this permission, a Database Administrator may create an empty database in advance and grant the db_owner role to the account that will be used for installing Veeam Backup & Replication.
    • Upgrade: current account should have sufficient permissions for that database. To grant these permissions through role assignment, it is recommended that you use the account with db_owner role.
    • Operation: the account used to run Veeam Backup Service requires db_datareader and db_datawriter roles as well as permissions to execute stored procedures for the configuration database on the Microsoft SQL Server. Alternatively, you can assign db_owner role for this database to the service account.

    For more information, see Microsoft Docs.

    Using Virtualization Servers and Hosts

    The following are required permissions to work with virtualization servers and hosts during data protection tasks.

    Role

    Required Permission

    Source/Target Host

    Root permissions on the ESXi host.

    If the vCenter Server is added to the backup infrastructure, an account that has administrative permissions is required.
    You can either grant the Administrator role to the account or configure granular vCenter Server permissions for certain Veeam Backup & Replication operations in the VMware vSphere environment. For more information, see the Required Permissions Reference.

    Windows Server
    added to the backup infrastructure

    Administrator permissions

    Linux Server
    added to the backup infrastructure

    Permissions for the account that you specify when adding a Linux server differ depending on the role that you plan to assign to this server:

    • Roles for which Veeam Data Movers must be persistent (backup proxy, hardened/immutable repository) require root or equivalent permissions. For the full list of roles, see Veeam Data Movers.
    • Gateway server that communicates with NFS share requires root or equivalent permissions.
    • Backup repository requires read and write permissions on the folder where backups will be stored. You will configure this folder at the Configure Backup Repository Settings step of the backup repository wizard.
    • Other roles require read and write permissions on files and folders with which the server will work.

    SMB Backup Repository

    Write permission on the target folder and share.

     

    Performing Guest Processing

    To use guest OS processing (application-aware processing, pre-freeze and post-thaw scripts, transaction log processing, guest file indexing and file exclusions), make sure to configure your accounts according to the requirements listed in this section. For more information on guest processing, see Guest Processing.

    All user accounts used for guest processing must have the following permissions:

    • Logon as a batch job granted
    • Deny logon as a batch job not set

    Other permissions depend on applications that you back up. You can find permissions for backup operations in the following table. For restore operation permissions, see Required Permissions sections in the Veeam Explorers User Guide.

    Application

    Required Permission

    Microsoft SQL Server

    To back up Microsoft SQL Server data, the following roles must be assigned:

    • Administrator role on the target VM.
    • Sysadmin role on the target Microsoft SQL Server.

    If you need to provide minimal permissions, the account must be assigned the following roles and permissions:

    • SQL Server instance-level role: public and dbcreator.
    • Database-level roles and roles for the model system database: db_backupoperator, db_denydatareader, public;
      for the master system database — db_backupoperator, db_datareader, public;
      for the msdb system database — db_backupoperator, db_datareader, public, db_datawriter.
    • Securables: view any definition, view server state.

    Microsoft Active Directory

    To back up Microsoft Active Directory data, the account must be a member of the built-in Administrators group.

    Microsoft Exchange

    To back up Microsoft Exchange data, the account must have the local Administrator permissions on the machine where Microsoft Exchange is installed.

    Oracle

    The account specified at the Guest Processing step must be configured as follows:

    • For a Windows-based VM, the account must be a member of both the Local Administrator group and the ORA_DBA group (if OS authentication is used). In addition, if ASM is used, then such an account must be a member of the ORA_ASMADMIN group (for Oracle 12 and higher).
    • For a Linux-based VM, the account must be a Linux user elevated to root.

    To back up Oracle databases, make sure the account specified on the Oracle tab has been granted SYSDBA privileges. You can use either the same account that was specified at the Guest Processing step if such an account is a member of the ORA_DBA group for a Windows-based VM and OSASM, OSDBA and OINSTALL groups for a Linux-based VM, or you can use, for example, the SYS Oracle account or any other Oracle account that has been granted SYSDBA privileges.

    Microsoft SharePoint

    To back up Microsoft SharePoint server, the account must be assigned the Farm Administrator role.

    To back up Microsoft SQL databases of the Microsoft SharePoint Server, the account must have the same privileges as that of Veeam Explorer for Microsoft SQL Server.

    Consider the following general requirements when choosing a user account:

    • [For guest OS file indexing] For Windows-based workloads, choose an account that has administrator privileges. For Linux-based workloads, choose an account of a root user or user elevated to root.
    • To use networkless guest processing over VMware VIX/vSphere Web Services, you must specify one of the following accounts at the Guest Processing step of the backup wizard. Check that the account also has permissions listed in the table.
    • If Windows User Account Control (UAC) is enabled, specify Local Administrator (MACHINE\Administrator) or Domain Administrator (DOMAIN\Administrator) account.
    • If UAC is disabled, specify an account that is a member of the built-in Administrators group.
    • [For networkless guest processing over VMware VIX] To be able to perform more than 1000 guest processing operations, the user that you specify for guest processing must be logged into the VM at least once.
    • When using Active Directory accounts, make sure to provide an account in the DOMAIN\Username format.
    • When using local user accounts, make sure to provide an account in the Username or HOST\Username format.
    • To process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
    • To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see this Microsoft article.

    Using Object Storage Repositories

    Amazon S3 Object Storage Permissions

    Consider the following:

    The following are required permissions to use Amazon S3 object storage with immutability disabled.

    {

     "s3:ListBucket",

     "s3:GetBucketLocation",

     "s3:GetObject",

     "s3:PutObject",

     "s3:DeleteObject",

     "s3:ListAllMyBuckets",

     "s3:GetBucketVersioning"

    }

     

    The following are required permissions to use Amazon S3 object storage with immutability enabled. For more information on immutability, see Immutability.

    {

     "s3:ListBucket",

     "s3:GetBucketLocation",

     "s3:GetObject",

     "s3:PutObject",

     "s3:DeleteObject",

     "s3:ListAllMyBuckets",

     "s3:GetBucketVersioning",

     "s3:GetBucketObjectLockConfiguration",

     "s3:ListBucketVersions",

     "s3:GetObjectVersion",

     "s3:GetObjectRetention",

     "s3:GetObjectLegalHold",

     "s3:PutObjectRetention",

     "s3:PutObjectLegalHold",

     "s3:DeleteObjectVersion"

    }

     

    For examples, see this Veeam KB article. For more information on permissions, see this Amazon article.

    Google Cloud Object Storage Permissions

    Consider the following: the storage.buckets.list permission is not required if you specify the bucket name explicitly at the Bucket step of the New Object Repository wizard.

    Note

    The Owner IAM role does not necessarily grant the permissions required for working with Google Cloud Storage.

    The following are required permissions to use Google Cloud object storage.

    {

     "storage.buckets.get",

     "storage.buckets.list",

     "storage.objects.create",

     "storage.objects.delete",

     "storage.objects.get",

     "storage.objects.list"

    }

    Amazon S3 Glacier Storage Permissions

    Permissions for Amazon S3 Glacier depend on whether you use the storage with immutability enabled or disabled.

    The following are required permissions to use Amazon S3 Glacier object storage with disabled immutability.

    • With VPC, subnet and security group set as Create new

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "VisualEditor0",

         "Effect": "Allow",

         "Action": [

           "s3:DeleteObject",

           "s3:PutObject",

           "s3:GetObject",

           "s3:RestoreObject",

           "s3:ListBucket",

           "s3:AbortMultipartUpload",

           "s3:GetBucketVersioning",

           "s3:ListAllMyBuckets",

           "s3:GetBucketLocation",

           "s3:GetBucketObjectLockConfiguration",

           "ec2:DescribeInstances",

           "ec2:CreateKeyPair",

           "ec2:DescribeKeyPairs",

           "ec2:RunInstances",

           "ec2:DeleteKeyPair",

           "ec2:DescribeVpcAttribute",

           "ec2:CreateTags",

           "ec2:DescribeSubnets",

           "ec2:TerminateInstances",

           "ec2:DescribeSecurityGroups",

           "ec2:DescribeImages",

           "ec2:DescribeVpcs",

           "ec2:CreateVpc",

           "ec2:CreateSubnet",

           "ec2:DescribeAvailabilityZones",

           "ec2:CreateRoute",

           "ec2:CreateInternetGateway",

           "ec2:AttachInternetGateway",

           "ec2:ModifyVpcAttribute",

           "ec2:CreateSecurityGroup",

           "ec2:DeleteSecurityGroup",

           "ec2:AuthorizeSecurityGroupIngress",

           "ec2:AuthorizeSecurityGroupEgress",

           "ec2:DescribeRouteTables",

           "ec2:DescribeInstanceTypes"

         ],

         "Resource": "*"

       }

     ]

    }

    • With preconfigured VPC, subnet and security group

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "VisualEditor0",

         "Effect": "Allow",

         "Action": [

           "s3:DeleteObject",

           "s3:PutObject",

           "s3:GetObject",

           "s3:RestoreObject",

           "s3:ListBucket",

           "s3:AbortMultipartUpload",

           "s3:GetBucketVersioning",

           "s3:ListAllMyBuckets",

           "s3:GetBucketLocation",

           "s3:GetBucketObjectLockConfiguration",

           "ec2:DescribeInstances",

           "ec2:CreateKeyPair",

           "ec2:DescribeKeyPairs",

           "ec2:RunInstances",

           "ec2:DeleteKeyPair",

           "ec2:DescribeVpcAttribute",

           "ec2:CreateTags",

           "ec2:DescribeSubnets",

           "ec2:TerminateInstances",

           "ec2:DescribeSecurityGroups",

           "ec2:DescribeImages",

           "ec2:DescribeVpcs"

         ],

         "Resource": "*"

       }

     ]

    }

    The following are required permissions to use Amazon S3 object storage with immutability enabled.

    • With VPC, subnet and security group set as Create new

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "VisualEditor0",

         "Effect": "Allow",

         "Action": [

           "s3:DeleteObject",

           "s3:PutObject",

           "s3:GetObject",

           "s3:RestoreObject",

           "s3:ListBucket",

           "s3:AbortMultipartUpload",

           "s3:GetBucketVersioning",

           "s3:ListAllMyBuckets",

           "s3:GetBucketLocation",

           "s3:GetBucketObjectLockConfiguration",

           "s3:PutObjectRetention",

           "s3:GetObjectVersion",

           "s3:PutObjectLegalHold",

           "s3:GetObjectRetention",

           "s3:DeleteObjectVersion",

           "s3:ListBucketVersions",

           "ec2:DescribeInstances",

           "ec2:CreateKeyPair",

           "ec2:DescribeKeyPairs",

           "ec2:RunInstances",

           "ec2:DeleteKeyPair",

           "ec2:DescribeVpcAttribute",

           "ec2:CreateTags",

           "ec2:DescribeSubnets",

           "ec2:TerminateInstances",

           "ec2:DescribeSecurityGroups",

           "ec2:DescribeImages",

           "ec2:DescribeVpcs",

           "ec2:CreateVpc",

           "ec2:CreateSubnet",

           "ec2:DescribeAvailabilityZones",

           "ec2:CreateRoute",

           "ec2:CreateInternetGateway",

           "ec2:AttachInternetGateway",

           "ec2:ModifyVpcAttribute",

           "ec2:CreateSecurityGroup",

           "ec2:DeleteSecurityGroup",

           "ec2:AuthorizeSecurityGroupIngress",

           "ec2:AuthorizeSecurityGroupEgress",

           "ec2:DescribeRouteTables",

           "ec2:DescribeInstanceTypes"

         ],

         "Resource": "*"

       }

     ]

    }

    • With preconfigured VPC, subnet and security group

    {

     "Version": "2012-10-17",

     "Statement": [

       {

         "Sid": "VisualEditor0",

         "Effect": "Allow",

         "Action": [

           "s3:DeleteObject",

           "s3:PutObject",

           "s3:GetObject",

           "s3:RestoreObject",

           "s3:ListBucket",

           "s3:AbortMultipartUpload",

           "s3:GetBucketVersioning",

           "s3:ListAllMyBuckets",

           "s3:GetBucketLocation",

           "s3:GetBucketObjectLockConfiguration",

           "s3:PutObjectRetention",

           "s3:GetObjectVersion",

           "s3:PutObjectLegalHold",

           "s3:GetObjectRetention",

           "s3:DeleteObjectVersion",

           "s3:ListBucketVersions",

           "ec2:DescribeInstances",

           "ec2:CreateKeyPair",

           "ec2:DescribeKeyPairs",

           "ec2:RunInstances",

           "ec2:DeleteKeyPair",

           "ec2:DescribeVpcAttribute",

           "ec2:CreateTags",

           "ec2:DescribeSubnets",

           "ec2:TerminateInstances",

           "ec2:DescribeSecurityGroups",

           "ec2:DescribeImages",

           "ec2:DescribeVpcs"

         ],

         "Resource": "*"

       }

     ]

    }

    Azure Archive Object Storage Permissions

    The following are required permissions to use Azure Archive object storage.

    {

     "properties": {

       "roleName": "CUSTOM_ROLE_MINIMAL_PERMISSIONS",

       "description": "CUSTOM_ROLE_MINIMAL_PERMISSIONS",

       "assignableScopes": [

         "/subscriptions/111111-1111-1111-0000-00000000000"

       ],

       "permissions": [

         {

           "actions": [

             "Microsoft.Authorization/*/read",

             "Microsoft.Compute/locations/*",

             "Microsoft.Compute/virtualMachines/*",

             "Microsoft.Network/locations/*",

             "Microsoft.Network/networkInterfaces/*",

             "Microsoft.Network/networkSecurityGroups/join/action",

             "Microsoft.Network/networkSecurityGroups/read",

             "Microsoft.Network/networkSecurityGroups/write",

             "Microsoft.Network/networkSecurityGroups/delete",

             "Microsoft.Network/publicIPAddresses/join/action",

             "Microsoft.Network/publicIPAddresses/read",

             "Microsoft.Network/publicIPAddresses/write",

             "Microsoft.Network/publicIPAddresses/delete",

             "Microsoft.Network/virtualNetworks/read",

             "Microsoft.Network/virtualNetworks/write",

             "Microsoft.Network/virtualNetworks/subnets/join/action",

             "Microsoft.Storage/storageAccounts/listKeys/action",

             "Microsoft.Storage/storageAccounts/read",

             "Microsoft.Resources/deployments/*",

             "Microsoft.Resources/subscriptions/resourceGroups/read",

             "Microsoft.Resources/checkResourceName/action",

             "Microsoft.Resources/subscriptions/resourceGroups/write",

             "Microsoft.Resources/subscriptions/locations/read"

           ],

           "notActions": [],

           "dataActions": [],

           "notDataActions": []

         }

       ]

     }

    }

    Permissions for Integration with Storage Systems

    To perform data protection and disaster recovery operations with storage snapshots, the account used to connect to a storage system must have necessary permissions.

    NetApp Data ONTAP/Lenovo Thinksystem DM Permissions

    The account used to connect to a NetApp Data ONTAP/Lenovo Thinksystem DM storage system must have the following permissions:

    7-Mode

    CDOT (VMware Integration)

    Command/Directory

    Access/Query Level

    DEFAULT

    readonly

    cluster

    readonly

    metrocluster

    readonly

    fcp

    readonly

    file

    readonly

    igroup

    all

    iscsi

    all

    network

    readonly

    node

    readonly

    security

    readonly

    security login

    readonly

    set

    readonly

    snapmirror

    all

    system

    readonly

    version

    readonly

    qtree

    readonly

    lun

    all

    nfs

    all

    snapshot

    all

    volume

    all

    vserver

    all

    Only as SVM (VMware Integration)

    Command/Directory

    Access/Query Level

    DEFAULT

    none

    lun

    all

    lun igroup

    all

    network

    readonly

    security

    readonly

    security login

    readonly

    snapmirror

    all

    system

    readonly

    version

    readonly

    volume

    all

    volume file

    readonly

    volume qtree

    all

    volume snapshot

    all

    vserver

    all

    vserver fcp

    all

    vserver iscsi

    all

    vserver nfs

    all

    CDOT (NAS Backup Integration)

    Command/Directory

    Access/Query Level

    DEFAULT

    readonly

    security

    readonly

    security login

    readonly

    volume snapshot

    all

    vserver

    all

    vserver nfs

    all

    Only as SVM (NAS Backup Integration)

    Command/Directory

    Access/Query Level

    DEFAULT

    none

    lun

    readonly

    network

    readonly

    security

    readonly

    security login

    readonly

    snapmirror

    readonly

    version

    readonly

    volume

    readonly

    volume snapshot

    all

    vserver

    all

    CDOT (Veeam Agent Integration)

    Command/Directory

    Access/Query Level

    cluster

    readonly

    lun

    all

    metrocluster

    readonly

    network

    readonly

    system license

    readonly

    system node

    readonly

    version

    readonly

    volume

    all

    volume snapshot

    all

    vserver

    all

    Only as SVM (Veeam Agent Integration)

    Command/Directory

    Access/Query Level

    lun

    all

    network

    readonly

    version

    readonly

    volume

    all

    volume snapshot

    all

    vserver

    all

    Universal Storage API Integrated Systems Permissions

    The account used to connect to a Universal Storage API integrated system must be assigned a necessary role in the storage system console and/or have a set of necessary permissions.

     

     

    For privileges required to integrate the NAS backup feature with Dell EMC Isilon, see Integration with Dell EMC Isilon in the NAS Backup Support section.

    For storage systems not mentioned above, the account must have Administrator role.

    Related Topics

    For permissions required for Veeam Backup Enterprise Manager, see Required Permissions in the Enterprise Manager User Guide.