Veeam Backup & Replication 9.5 Update 4 [Archived]
User Guide for VMware vSphere
Related documents
Search
This is an archive version of the document. To get the most up-to-date information, see the current version.

Required Permissions

Make sure that user accounts that you plan to use have permissions described in the following sections:

Installing and Using Veeam Backup & Replication

The accounts used for installing and using Veeam Backup & Replication must have the following permissions.

Account

Required Permission

Setup Account

The account used for product installation must have the local Administrator permissions on the target machine.

Veeam Backup & Replication Console Permissions

The account used to start the Veeam Backup & Replication console must have the local Administrator permissions on the machine where the console is installed.

To perform file-level restore for Microsoft Windows VMs, the account must have the following permissions and privileges:

  • Local Administrator permissions to start the Veeam Backup & Replication console
  • SeBackupPrivilege and SeRestorePrivilege to connect to the Veeam backup server and start the restore process

In most environments, SeBackupPrivilege and SeRestorePrivilege are assigned to user accounts added to the Administrators group. For more information, see Microsoft Docs.

Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console. For more information, see Microsoft Docs.

Veeam Backup Service Account

The account used to run the Veeam Backup Service must be a LocalSystem account or must have the local Administrator permissions on the backup server.

Microsoft SQL Server
(where the configuration database is stored)

You require different sets of Microsoft SQL permissions in the following cases:

  • Installation (remote or local): current account needs CREATE ANY DATABASE permission on the SQL server level. After database creation this account automatically gets a db_owner role and can perform all operations with the database. If the current account does not have this permission, a Database Administrator may create an empty database in advance and grant the db_owner role to the account that will be used for installing Veeam Backup & Replication.
  • Upgrade: current account should have sufficient permissions for that database. To grant these permissions through role assignment, it is recommended that you use the account with db_owner role.
  • Operation: the account used to run Veeam Backup Service requires db_datareader and db_datawriter roles as well as permissions to execute stored procedures for the configuration database on the Microsoft SQL Server. Alternatively, you can assign db_owner role for this database to the service account.

Using Virtualization Servers and Hosts

The following are required permissions to work with virtualization servers and hosts during data protection tasks.

Role

Required Permission

Source/Target Host

Root permissions on the ESXi host.

If the vCenter Server is added to the backup infrastructure, an account that has administrative permissions is required.
You can either grant the Administrator role to the account or configure granular vCenter Server permissions for certain Veeam Backup & Replication operations in the VMware vSphere environment. For more information, see the Required Permissions Reference.

Linux Backup Repository

Root or equivalent permissions.

SMB Backup Repository

Write permission on the target folder and share.

Performing Guest Processing

To create transactionally consistent backups using guest OS processing, make sure to configure your accounts according to the requirements listed in this section. For more information about guest processing, see Guest Processing.

All user accounts used for guest processing must have the following permissions:

  • Logon as a batch job granted
  • Deny logon as a batch job not set

Other permissions depend on applications that you back up. You can find permissions for backup operations in the following table. For restore operation permissions, see Required Permissions sections in the Veeam Explorers User Guide.

Application

Required Permission

Microsoft SQL Server

To back up Microsoft SQL Server data, the following roles must be assigned:

  • Administrator role on the target VM.
  • Sysadmin role on the target Microsoft SQL Server.

To provide minimal permissions, the account must be assigned the following roles and permissions:

  • SQL Server instance-level role: public and dbcreator.
  • Database-level roles: db_backupoperator, db_denydatareader, public; for system databases (master, model, msdb) — db_backupoperator, db_datareader, public; for system database (msdb) — db_datawriter.
  • Securables: view any definition, view server state.

Microsoft Active Directory

To back up Microsoft Active Directory data, the account must be a member of the Domain Admins group.

Microsoft Exchange

To back up Microsoft Exchange data, the account must have the local Administrator permissions on the machine where Microsoft Exchange is installed.

Oracle

The account specified at the Specify Guest Processing Settings step must be configured as follows:

  • For a Windows-based VM, the account must be a member of both the Local Administrator group and the ORA_DBA group (if OS authentication is used). In addition, if ASM is used, then such an account must be a member of the ORA_ASMADMIN group (for Oracle 12 and higher).
  • For a Linux-based VM, the account must be a Linux user elevated to root.

To back up Oracle databases, make sure the account specified on the Oracle tab has been granted SYSDBA privileges. You can use either the same account that was specified at the Specify Guest Processing Settings step if such an account is a member of the ORA_DBA group for a Windows-based VM and OSASM, OSDBA and OINSTALL groups for a Linux-based VM, or you can use, for example, the SYS Oracle account or any other Oracle account that has been granted SYSDBA privileges.

Microsoft SharePoint

To back up Microsoft SharePoint server, the account must be assigned the Farm Administrator role.

To back up Microsoft SQL databases of the Microsoft SharePoint Server, the account must have the same privileges as that of Veeam Explorer for Microsoft SQL Server.

Consider the following general requirements when choosing a user account for transactionally consistent backups:

  • When using Active Directory accounts, make sure to provide an account in the DOMAIN\Username format.
  • When using local user accounts, make sure to provide an account in the Username or HOST\Username format.
  • To process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
  • To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see this Microsoft article.

Using Amazon S3 Object Storage

The following are required permissions to work with Amazon S3 object storage. For more information, see this Amazon article.

Required Permissions Note:

Make sure the account you are using has access to Amazon buckets and folders.

{

 "s3:ListBucket",

 "s3:GetBucketLocation",

 "s3:GetObject",

 "s3:PutObject",

 "s3:DeleteObject",

 "s3:ListAllMyBuckets",

 "s3:HeadBucket"

}

Related Topics

For permissions required for Veeam Backup Enterprise Manager, see Required Permissions in the Enterprise Manager User Guide.

View all results across Veeam
Back to document search