Permissions

The accounts used to deploy and administer backup infrastructure components must have the following permissions.

Backup Server Windows Account

The Windows account used to install Veeam Backup & Replication and Nutanix AHV Plug-in on the backup server must have the following permissions.

Account	Required Permission
Setup Account	The account used to install Veeam Backup & Replication and Nutanix AHV Plug-in must have the Local Administrator permissions on the backup server.
Veeam Backup & Replication User Account	The account used to run Veeam Backup & Replication services must be a LocalSystem account or must have the Local Administrator permissions on the backup server.

Nutanix AHV Cluster Administrator Account

The Nutanix AHV administrator account that Veeam Backup for Nutanix AHV uses to access the cluster must have privileges of the Prism Admin role or higher. For more information on user access control, see Nutanix documentation.

Performing Guest Processing

To use guest OS processing (application-aware processing, pre-freeze and post-thaw scripts, transaction log processing, guest file indexing and file exclusions), make sure to configure your accounts according to the requirements listed in this section. For more information on guest processing, see Guest Processing.

All user accounts used for guest processing of Windows VMs must have the following permissions:

Logon as a batch job granted.
Deny logon as a batch job not set.

If Veeam Backup & Replication fails to use the Log on as a batch job policy, Interactive Logon is used.

Other permissions depend on applications that you back up. You can find permissions for backup operations in the following table. For restore operation permissions, see Permissions sections in the Veeam Explorers User Guide.

Application	Required Permission
Microsoft SQL Server	To back up Microsoft SQL Server data, the user whose account you plan to use must be: Local Administrator on the target VM. System administrator (has the Sysadmin role) on the target Microsoft SQL Server. If you need to provide minimal permissions, the account must be assigned the following roles and permissions: SQL Server instance-level role: public and dbcreator. Database-level roles and roles for the model system database: db_backupoperator, db_denydatareader, public; for the master system database — db_backupoperator, db_datareader, public; for the msdb system database — db_backupoperator, db_datareader, public, db_datawriter. Securables: view any definition, view server state, connect SQL. If the account does not have enough rights, Veeam Backup & Replication tries to truncate logs using the local SYSTEM account for Microsoft SQL Server 2008 and 2008 R2. For other Microsoft SQL Server versions, Veeam Backup & Replication uses NT AUTHORITY\SYSTEM account.
Microsoft Active Directory	To back up Microsoft Active Directory data, the account must be a member of the built-in Administrators group.
Microsoft Exchange	To back up Microsoft Exchange data, the account must have the local Administrator permissions on the machine where Microsoft Exchange is installed.
Oracle	The account specified at the Guest Processing step must be configured in the following way: For a Windows-based VM, the account must be a member of both the Local Administrator group and the ORA_DBA group (if OS authentication is used). In addition, if ASM is used, then such an account must be a member of the ORA_ASMADMIN group (for Oracle 12 and higher). For a Linux-based VM, the account must be a Linux user elevated to root. The account must have the home directory created. To back up Oracle databases, you can specify the following options at the Oracle tab: Oracle account with SYSDBA privileges. You can use, for example, the SYS Oracle account or any other Oracle account that has been granted SYSDBA privileges. Account specified for guest processing. That is, the Use guest credentials option selected. In this case, the account that was specified at the Guest Processing step must be a member of the ORA_DBA group for a Windows-based VM and OSASM, OSDBA and OINSTALL groups for a Linux-based VM. To perform guest processing for Oracle databases on Linux servers, make sure that the /tmp directory is mounted with the exec option. Otherwise, you will get an error with the permission denial.
Microsoft SharePoint	To back up Microsoft SharePoint server, the account must have the Farm Administrator role. To back up Microsoft SQL databases of the Microsoft SharePoint Server, the account must have the same privileges as that of Veeam Explorer for Microsoft SQL Server.
PostgreSQL	The account specified at the Guest Processing step must be a Linux user elevated to root. The account must have the home directory created. To back up PostgreSQL instances, the account must have the superuser privileges for the PostgreSQL instance. For more information, see PostgreSQL documentation.

Consider the following general requirements when choosing a user account:

[For guest OS file indexing] For Windows-based workloads, choose an account that has administrator privileges. For Linux-based workloads, choose an account of a root user or user elevated to root.
[If you plan to use guest processing over network for workloads without listed applications] For Windows-based workloads, choose an account that has administrator privileges. For Linux-based workloads, choose an account of a root user or user elevated to root.
When using Active Directory accounts, make sure to provide an account in the DOMAIN\Username format.
When using local user accounts, make sure to provide an account in the Username or HOST\Username format.
To process a Domain Controller server, make sure that you are using an account that is a member of the DOMAIN\Administrators group.
To back up a Read-Only Domain controller, a delegated RODC administrator account is sufficient. For more information, see Microsoft Docs.