Permissions

For general requirements for permissions that must be provided to the user account to install and work with Veeam Backup & Replication, see Permissions for Veeam Backup & Replication. In addition to general port requirements, make sure that user accounts have permissions listed in the following subsections:

Permissions for Veeam Plug-In

Operation

Required Roles and Permissions

Installing and updating Veeam Plug-In

The account used for installing and updating Veeam Plug-In must be a member of the local Administrators group. Local administrator permissions are required to install and manage Veeam Plug-In Toolbar in Microsoft SQL Server Management Studio.

Performing backup and restore operations in Veeam Plug-In

To be able to connect to a Microsoft SQL Server instance, the account used for starting Microsoft SQL Server backup and restore processes must meet the following conditions:

  • The account must be added to the following roles: public, sysadmin.
  • If the account is not a member of the Administrators group, you must enable the Create Global Objects security policy for the account. For detailed instructions on how to manage the Create Global Objects security policy, see this Microsoft article.

Connecting to Veeam Backup & Replication, managing backups

The account that is used to authenticate against Veeam Backup & Replication must have access permissions on required Veeam backup repository servers. To learn how to configure permissions on repositories, see Access and Encryption Settings on Backup Repositories.

Veeam Plug-In for Microsoft SQL Server uses Windows authentication methods of the Veeam Backup & Replication server to establish a connection to this server and to the backup target. It is recommended to create one user for each standalone Microsoft SQL Server or failover cluster with Veeam Plug-In.

To work with backups created by Veeam Plug-In, you can use only the same account that was used for creating the backup. If you want to use another account, assign the Veeam Backup Administrator role or Veeam Backup Operator and Veeam Restore Operator roles to the account. For details on how to assign Veeam Backup & Replication roles, see Managing Users and Roles.

Permissions for Object Storage

The general permissions for backup to object storage are listed in Using Object Storage Repositories. Additional permissions are required if you want to back up databases with Veeam Plug-In. The list of additional permissions differs depending on the selected object storage and the way you set your backup infrastructure:

Amazon S3

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the Amazon S3 storage.
  • You selected direct connection in the object storage settings. For details, see Adding Amazon S3 Object Storage.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion",
 "iam:SimulatePrincipalPolicy",
 "iam:TagUser"
}

S3 Compatible (Including IBM Cloud Object Storage, Wasabi Cloud Storage)

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the S3 compatible storage.
  • Direct connection is selected in the object storage settings. For details, see Specify Object Storage Account.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion",
 "sts:GetCallerIdentity"
}

 

 

Google Cloud Storage

Make sure that your infrastructure configuration fits the following description:

If you plan to back up data using such infrastructure configuration, make sure the user account that you specify in the Helper Appliance settings has the following permissions:

{
 "iam.serviceAccounts.create",
 "iam.serviceAccounts.delete",
 "iam.serviceAccounts.get",
 "iam.serviceAccounts.list",
 "storage.buckets.get",
 "storage.buckets.getIamPolicy",
 "storage.buckets.list",
 "storage.buckets.setIamPolicy",
 "storage.buckets.update",
 "storage.hmacKeys.create",
 "storage.hmacKeys.delete",
 "storage.hmacKeys.get",
 "storage.hmacKeys.list",
 "storage.objects.create",
 "storage.objects.delete",
 "storage.objects.get",
 "storage.objects.list"
}

Page updated 9/1/2025

Page content applies to build 13.0.0.4967