The accounts used for installing and using Veeam Backup & Replication must have the following permissions:
The account used for product installation must have the local Administrator permissions on the target machine.
Veeam Backup & Replication Console Permissions
The account used to start the Veeam Backup & Replication console must have the local Administrator permissions on the machine where the console is installed.
To perform file-level restore for Microsoft Windows VMs, the account must have the following permissions and privileges:
In most environments, SeBackupPrivilege and SeRestorePrivilege are assigned to user accounts added to the Administrators group. For more information, see Microsoft Docs.
Accounts that are members of the Protected Users Active Directory group cannot be used to access the backup server remotely over the Veeam Backup & Replication console. For more information, see Microsoft Docs.
Veeam Backup Service Account
The account used to run the Veeam Backup Service must be a LocalSystem account or must have the local Administrator permissions on the backup server.
Target/Source Host Permissions
Root permissions on the source ESXi host.
Root or equivalent permissions on the Linux backup repository.
Write permission on the target folder and share.
If the vCenter Server is added to the backup infrastructure, an account that has administrative permissions is required.
Microsoft SQL Server
You require different sets of Microsoft SQL permissions in the following cases:
Veeam Backup Enterprise Manager
The local Administrator permissions on the Veeam Backup Enterprise Manager server to install Veeam Backup Enterprise Manager.
To be able to work with Veeam Backup Enterprise Manager, users must be assigned the Portal Administrator, Restore Operator or Portal User role. For more information, see the Required Permissions section in the Enterprise Manager User Guide.
The account used for guest processing of VMs that run VSS-aware applications must have the following user rights assigned:
When creating transactionally consistent backups, make sure to configure your accounts according to the requirements listed in the following table. For more information about transactionally consistent backups, see Guest Processing.
To back up Microsoft SQL Server data, the following roles must be assigned:
To provide minimal permissions, the account must be assigned the following roles and permissions:
To back up Microsoft Active Directory data, the account must be a member of the Domain Admins group.
To back up Microsoft Exchange data, the account must be granted Full Access to Microsoft Exchange database and its log files.
The account specified at the Specify Guest Processing Settings step must be configured as follows:
To back up Oracle databases, make sure the account specified on the Oracle tab has been granted SYSDBA privileges. You can use either the same account that was specified at the Specify Guest Processing Settings step if such an account is a member of the ORA_DBA group for a Windows-based VM and OSASM, OSDBA and OINSTALL groups for a Linux-based VM, or you can use, for example, the SYS Oracle account or any other Oracle account that has been granted SYSDBA privileges.
To back up Microsoft SharePoint server:
To back up Microsoft SQL databases of the Microsoft SharePoint Server:
Consider the following general requirements when choosing a user account for transactionally consistent backups:
- When using Active Directory accounts, make sure to provide an account in the DOMAIN\Username format.
- When using local user accounts, make sure to provide an account in the Username or HOST\Username format.
- To process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
- To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see this Microsoft article.