Permissions

For general requirements for permissions that must be provided to the user account to install and work with Veeam Backup & Replication, see Permissions for Veeam Backup & Replication. In addition to general port requirements, make sure that user accounts have permissions listed in the following subsections:

Permissions for Veeam Plug-In

Operation

Required Roles and Permissions

Installing and updaing Veeam Plug-In

The account used for installing and updating Veeam Plug-In must have root privileges.

Performing backup and restore operations in Veeam Plug-In

The account used to start BR*Tools backup and restore operations must have permissions described in the Starting BR*Tools section in the SAP Database Guide: Oracle.

Connecting to Veeam Backup & Replication, managing backups

  • The account specified in the Veeam Plug-In configuration settings must be able to authenticate against the Veeam Backup & Replication server. For details, see Configuring Plug-In for SAP on Oracle.
  • The account specified in the Veeam Plug-In configuration settings must be granted access rights on the Veeam backup repository where you want to store backups.

To learn how to grant permissions on Veeam repositories, see Access and Encryption Settings on Repositories.

  • You can work with backups created by Veeam Plug-In only with the account used for creating the backups. If you want to use another account, see required permissions in Configuring Plug-In for SAP on Oracle.

Permissions for Object Storage

The general permissions for backup to object storage are listed in Using Object Storage Repositories. Additional permissions are required if you want to back up databases with Veeam Plug-In. The list of additional permissions differs depending on the selected object storage and the way you set your backup infrastructure:

Amazon S3

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the Amazon S3 storage.
  • You selected direct connection in the object storage settings. For details, see Adding Amazon S3 Object Storage.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion",
 "iam:SimulatePrincipalPolicy",
 "iam:TagUser"
}

S3 Compatible (Including IBM Cloud Object Storage, Wasabi Cloud Storage)

Consider the following:

Make sure that your infrastructure configuration fits the following description:

  • You plan to back up data to the S3 compatible storage.
  • Direct connection is selected in the object storage settings. For details, see Specify Object Storage Account.

If you plan to back up data using such infrastructure configuration, make sure the user account that you use to connect to the object storage has the following permissions:

{
 "iam:AttachUserPolicy",
 "iam:CreateAccessKey",
 "iam:CreatePolicy",
 "iam:CreatePolicyVersion",
 "iam:CreateUser",
 "iam:DeleteAccessKey",
 "iam:DeletePolicy",
 "iam:DeletePolicyVersion",
 "iam:DeleteUser",
 "iam:DeleteUserPolicy",
 "iam:DetachUserPolicy",
 "iam:GetPolicy",
 "iam:GetPolicyVersion",
 "iam:GetUser",
 "iam:GetUserPolicy",
 "iam:ListAccessKeys",
 "iam:ListAttachedUserPolicies",
 "iam:ListPolicyVersions",
 "iam:ListUserPolicies",
 "iam:PutUserPolicy",
 "iam:SetDefaultPolicyVersion",
 "sts:GetCallerIdentity"
}

 

 

Google Cloud Storage

Make sure that your infrastructure configuration fits the following description:

If you plan to back up data using such infrastructure configuration, make sure the user account that you specify in the Helper Appliance settings has the following permissions:

{
 "iam.serviceAccounts.create",
 "iam.serviceAccounts.delete",
 "iam.serviceAccounts.get",
 "iam.serviceAccounts.list",
 "storage.buckets.get",
 "storage.buckets.getIamPolicy",
 "storage.buckets.list",
 "storage.buckets.setIamPolicy",
 "storage.buckets.update",
 "storage.hmacKeys.create",
 "storage.hmacKeys.delete",
 "storage.hmacKeys.get",
 "storage.hmacKeys.list",
 "storage.objects.create",
 "storage.objects.delete",
 "storage.objects.get",
 "storage.objects.list"
}

Page updated 9/1/2025

Page content applies to build 13.0.0.4967