Veeam Backup 11 0 Permissions

Veeam Backup & Replication
Version 11
Required Permissions for VMware vSphere
July, 2021
© 2021 Veeam Software.
All rights reserved. All trademarks are the property of their respective owners.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form by any means, without written permission from Veeam Software
(Veeam). The information contained in this document represents the current view of Veeam on the issue
discussed as of the date of publication and is subject to change without notice. Veeam shall not be liable for
technical or editorial errors or omissions contained herein. Veeam makes no warranties, express or implied, in
this document. Veeam may have patents, patent applications, trademark, copyright, or other intelle ctual
property rights covering the subject matter of this document. All other trademarks mentioned herein are the
property of their respective owners. Except as expressly provided in any written license agreement from Veeam,
the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
NOTE :
Read the End User Software License Agreement before using the accompanying software programs. Using
any part of the software indicates that you accept the terms of the End User Software License Agreement.
2 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Contents
CONTACTING VEEAM SOF TWARE ................................ ................................ ........................... 4
ABOUT THIS DOCUMENT ................................ ................................ ................................ ..... 5
INSTALLATION AND OPERATION ................................ ................................ ............................ 6
CUMULATIVE PERMISSIONS................................ ................................ ................................ .. 8
BACKUP ................................ ................................ ................................ ......................... 11
REPLICATION ................................ ................................ ................................ .................. 13
REPLICA FAILOVER ................................ ................................ ................................ ........... 15
REPLICA FAILBACK ................................ ................................ ................................ ........... 16
CONTINUOUS DATA P ROTECTION (CDP) ................................ ................................ .................. 17
CDP FAILOVER ................................ ................................ ................................ ................ 19
CDP FAILBACK................................ ................................ ................................ ................ 20
INSTANT VM RECOVERY ................................ ................................ ................................ ..... 21
QUICK MIGRATION................................ ................................ ................................ ............ 22
SUREBACKUP................................ ................................ ................................ .................. 23
ENTIRE VM RESTORE ................................ ................................ ................................ .........24
FILE -LEVEL RESTORE ................................ ................................ ................................ ........26
VSPHERE WEB CLIENT PLUG-IN FOR VEEAM BAC KUP & REPLICATION ................................ ............... 27

Contacting Veeam Software
At Veeam Software we value feedback from our customers. It is important not only to help you quickly with your
technical issues, but it is our mission to listen to your input and build products that incorporate your
suggestions.
Customer Support
Should you have a technical concern, suggestion or question, visit the Veeam Customer Support Portal to open a
case, search our knowledge base, reference documentation, manage your license or obtain the latest product
release.
Company Contacts
For the most up-to-date information about company contacts and office locations, visit the Veeam Contacts
Webpage.
Online Support
If you have any questions about Veeam products, you can use the following resources:
• Full documentation set: www.veeam.com/documentation-guides-datasheets.html
• Veeam R&D Forums at forums.veeam.com

About This Document
This document provides information about accounts and permissions required for Veeam Backup & Replication
installation and operation, and also about granular vCenter Server permissions required for the certain Veeam
Backup & Replication operations in VMware vSphere 6.x environment.

Installation and Operation
The accounts used for installing and using Veeam Backup & Replication must have the following permissions
(detailed list is provided in the User Guide):
Account Required P ermissions
Setup Account Local Administrator permissions on the Veeam Backup & Replication console to install
Veeam Backup & Replication.
Ta rget/Source Host Linux host: root or equivalent permissions

Configuration
Hyper-V server: Local Administrator permissions
Target folder and share: write permissions
ESXi server: root permissions
vCenter: administrative or granular* permissions

* The required granular permissions depend on the operations that you are planning to carry
out. For the possible operations, see other sections in this guide. For example, permissions
required for backup operations are described in the Backup section.
SQL Server The account used to run Veeam Backup Service requires db-datareader and
db_datawriter roles, as well as permissions to execute stored procedures for the
VeeamBackup database (or another one used as Veeam Backup database) on the SQL
Server instance. Alternatively, you can assign db_owner role for that database to
service account.
The account used to run Veeam Backup Enterprise Manager service requires db-
datareader and db_datawriter roles, as well as permissions to execute stored
procedures for the VeeamBackupReporting database (or another one used as Veeam
Backup Enterprise Manager database) on the SQL Server instance. Alternatively, you
can assign db_owner role for that database to service account.
Veeam Backup Local Administrator permissions on the destination server to install Veeam Backup
E nterprise Manager Enterprise Manager.
To be able to work with Veeam Backup Enterprise Manager, users must be assigned
the Portal Administrator, Restore Operator or Portal User role.
For more information on permissions required for Enterprise Manager operation, see
the Required Permissions section in the Enterprise Manager User Guide.
Veeam Explorer for The account used for connection with target domain controller where
Microsoft Active objects/containers will be restored needs the following:
Directory
• Administrative rights for target Active Directory
• Membership in the Exchange Organization Management group — to provide for
automatic mailbox re-connect for recovered user or group account

Account Required P ermissions
• The user account that you specify for guest processing of the Microsoft SQL
Veeam Explorer for
Microsoft SQL Server VM in the backup job should have the sysadmin fixed role assigne d on
Server that SQL Server, or the set of garnular roles described here.
• The account you will use to access the target Microsoft SQL server where
database will be restored needs the sysadmin fixed role on that server.
• The account you plan to use for connection to the Windows machine (where
database log backup files will be copied for further log replay) will need
sufficient permissions to access the administrative share on that machine: Read
and Write are minimal required. For restore scenarios that involve log r eplay,
that machine is your target SQL Server. For export, this is your staging system.
For more information, see the Required Permissions section in the Veeam
Explorers User Guide.
• The account used to run Veeam Explorer for Microsoft SQL Server should have
sufficient permissions for the folder where you plan to export the database files:
Read and Write are minimal recommended.
Veeam Explorer for Full access to Microsoft Exchange database and its log files for item recovery. You
Microsoft Exchange need both Read and Write permissions to all files in the folder with the database.
Access rights for item recovery can be provided through impersonation, as described
in the Configuring Exchange Impersonation article, or by providing user account with
Full Access to mailbox.
For more information, see the Required Permissions section in the Veeam Explorers
User Guide.
Veeam Explorer for For more information on accounts used for Veeam Explorer operations and
Microsoft corresponding permissions, see the Required Permissions section in the Veeam
Sha rePoint Explorers User Guide.
Veeam Explorer for For more information on accounts used for Veeam Explorer operations, and
Ora cle corresponding permissions see the Required Permissions section in the Veeam
Explorers User Guide.
IMP ORTANT!
To back up and restore virtual machines in VMware vSphere 5.x environment, make sure the following
permissions are set for the corresponding account at the vCenter Server level: Disable methods, Enable
methods, Licenses.
For more information, see the VMware Knowledge Base KB 2063054 article.

Cumulative Permissions
This section lists cumulative vCenter permissions required for Veeam Backup & Replication operations.
IMP ORTANT!
To back up and restore virtual machines in VMware vSphere 5.x environment, make sure the following
permissions are set for the corresponding account at the vCenter Server level: Disable Methods, Enable
Methods, Licenses.
For more information, refer to the VMware Knowledge Base KB 2063054 article.
NOTE :
The permissions to create and edit tag categories can only be granted at the root level.
P rivilege Level Cumulative Permissions
Cryptographic operations Add disk

Direct Access
Encrypt
Encrypt new
Migrate
d vP ort Group Create

Delete
Modify
Da tastore Allocate space

Browse datastore
Configure datastore
Low-level file operations
Remove file
E x tension Register extension

Unregister extension
Fold er Create folder

Delete folder
Global Disable methods

Enable methods
Licenses
Log event
Manage custom attributes
Set custom attribute
Settings

Host Configuration Advanced settings

Maintenance
Network configuration
Query patch
Storage partition configuration
vSp here Tagging Assign or Unassign vSphere Tag
Network Assign network

Configure
Resource Assign virtual machine to resource pool

Create resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Remove resource pool
Da tastore cluster Configure a datastore cluster
P rofile-driven storage Profile-driven storage update

Profile-driven storage view
vAp p Add virtual machine

Assign resource pool
Unregister
Virtual Machine Cha nge Configuration Acquire disk lease

Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change Settings
Change resource
Configure RAW device*
Extend virtual disk
Modify device settings
Remove disk
Rename
Set annotation
Toggle disk change tracking
E d it Inventory Create
Register
Remove
Unregister

Guest operations Guest operation modifications

Guest operation program execution
Guest operation queries
Interaction Configure CD media

Configure floppy media
Console interaction
Connect devices
Guest operating system management by
VIX API
Power Off
Power On
Suspend
P rovisioning Allow disk access

Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload
Mark as template**
Mark as virtual machine**
Sna pshot Management Create snapshot

Remove snapshot
Rename snapshot
Revert to snapshot
* required if machines have Virtual Compatibility RDM disks and Virtual appliance mode is used for a backup p roxy
** required for template restore

Backup
Below are vCenter Server granular permissions required for backup:
P rivilege Level Required P ermissions
Direct SAN Access Virtual Appliance Mode Network Mode

Mod e
Da tastore Low-level file Low-level file operations Low-level file

operations operations
Global Disable methods Disable methods Disable methods

Enable methods Enable methods Enable methods
Licenses Licenses Licenses
Log event Log event Log event
Manage custom Manage custom attributes Manage custom
attributes Set custom attribute attributes
Set custom attribute Set custom attribute
Da tastore cluster Configure a datastore Configure a datastore Configure a datastore

cluster cluster cluster
Virtual Cha nge Acquire disk lease Acquire disk lease Acquire disk lease
Ma chine Configuration Advanced Add existing disk Advanced
configuration Add or remove device configuration
Set Annotation Advanced configuration Set annotation
Toggle disk change Configure RAW device (if Toggle disk change
tracking machines have Virtual tracking
Compatibility RDM disks)
Remove disk
Set annotation
Guest Guest operation Guest operation Guest operation

op erations modifications modifications modifications
Guest operation Guest operation program Guest operation
program execution execution program execution
Guest operation Guest operation queries Guest operation
queries queries
Interaction Guest operating Guest operating system Guest operating

system management management by VIX API system management
by VIX API by VIX API


Mod e
P rovisioning Allow read-only disk Allow read-only disk access Allow read-only disk
access Allow virtual machine access
Allow virtual machine download Allow virtual machine
download download
Sna pshot Create snapshot Create snapshot Create snapshot

Ma nagement Remove snapshot Remove snapshot Remove snapshot

Replication
Below are vCenter Server granular permissions required for replication:

Mod e
Da tastore Allocate space Allocate space Allocate space

Browse datastore Browse datastore Browse datastore
Configure datastore Configure datastore Configure datastore
Low-level file Low-level file Low-level file
operations operations operations
Remove file Remove file Remove file

Manage custom Manage custom Manage custom
attributes attributes attributes
Set custom attribute Set custom attribute Set custom attribute
Network Assign network Assign network Assign network
Resource Assign virtual machine Assign virtual machine Assign virtual machine
to resource pool to resource pool to resource pool
Da tastore cluster Configure a datastore Configure a datastore Configure a datastore

cluster cluster cluster
P rofile-driven storage Profile-driven storage Profile-driven storage Profile-driven storage

update update update
Profile-driven storage Profile-driven storage Profile-driven storage
view view view
vAp p Add virtual machine Add virtual machine Add virtual machine
Assign resource pool Assign resource pool Assign resource pool
Unregister Unregister Unregister


Mod e
Virtual Cha nge Acquire disk lease Acquire disk lease Acquire disk lease
Ma chine Configuration Add new disk Add existing disk Add new disk
Advanced configuration Add new disk Advanced configuration
Extend virtual disk Advanced configuration Extend virtual disk
Toggle disk change Change resource Toggle disk change
tracking Extend virtual disk tracking
Remove disk
Toggle disk change
tracking
E d it Inventory Register Register Register

Remove Remove Remove
Guest Guest operation Guest operation Guest operation

op erations modifications modifications modifications
Guest operation Guest operation Guest operation
program execution program execution program execution
Guest operation queries Guest operation queries Guest operation queries
Interaction Connect devices Connect devices Connect devices

Guest operating system Guest operating system Guest operating system
management by VIX management by VIX management by VIX
API API API
P rovisioning Allow disk access Allow disk access Allow disk access
Allow read-only disk Allow read-only disk Allow read-only disk
access access access
Allow virtual machine Allow virtual machine Allow virtual machine
download download download

Rename snapshot Rename snapshot Rename snapshot
Revert to snapshot Revert to snapshot Revert to snapshot

Replica Failover
Below are vCenter Server granular permissions required for replica failover:
Da tastore Browse datastore

Remove file
Global Log event
Virtual Machine Cha nge Configuration Advanced Configuration

Rename
Interaction Power Off

Power On

Remove snapshot
Revert to snapshot

Replica Failback
Below are vCenter Server granular permissions required for replica failback:

Browse datastore
Remove file

Enable methods
Licenses
Log event


Add existing disk
Add new disk
Remove disk
Rename
E d it Inventory Register

Power On


Remove snapshot
Revert to snapshot

Continuous Data Protection (CDP)
Below are vCenter Server granular permissions required for continuous data protection (CDP):

Browse datastore
Configure datastore
Remove file

Enable methods
Licenses
Log event
Manage custom attributes
Set custom attribute
Host Configuration Advanced settings

Maintenance
Query patch
Da tastore cluster Configure a datastore cluster


Unregister

Add existing disk
Add new disk
Change settings
Extend virtual disk
Remove disk

Remove
Guest operations Guest operation modifications

Interaction Connect devices

Guest operating system management by VIX API


Remove snapshot
Rename snapshot
Revert to snapshot

CDP Failover
Granular permissions required for CDP failover are the same as for replica failover. For more information, see
Replica Failover.

CDP Failback
Below are vCenter Server granular permissions required for CDP failback:

Browse datastore
Remove file

Enable methods
Licenses
Log event


Add existing disk
Add new disk
Change Settings
Remove disk
Rename

Power On


Remove snapshot
Revert to snapshot
20 | V eeam Backup & Replication | Required Permissions for V Mware vSphere

Instant VM Recovery
Below are vCenter Server granular permissions required for Instant VM Recovery:

Remove file
Global Log event
Host Configuration Storage partition configuration

Configure

Unregister
Virtual Machine Cha nge Configuration Modify device settings

Interaction Configure CD media

Configure floppy media
Console interaction
Power Off
Power On
Unregister

Remove snapshot

Quick Migration
Below are vCenter Server granular permissions required for Quick Migration:

Browse datastore
Remove file

Enable methods
Licenses
Log event
Settings

Migrate powered off virtual machine
Migrate powered on virtual machine

Virtual Machine Cha nge Configuration Add existing disk

Add new disk
Change resource
Remove disk
Rename
Interaction Connect devices

Power Off
Power On
Suspend
Remove
Unregister


Remove snapshot
Revert to snapshot

SureBackup
Below are vCenter Server granular permissions required for SureBackup:
d vP ort Group Create

Delete

Remove file
Сonfigure datastore (if you restore to vSAN datastore)
Fold er Create folder

Delete folder
Global Licenses
Log event
Host Configuration Network configuration

Storage partition configuration

Create resource pool
Remove resource pool
Virtual Machine Cha nge Configuration Add or remove device


Power On
Remove
Unregister

Remove snapshot

Entire VM Restore
Below are vCenter Server granular permissions required for entire VM restore:

Mod e
d vP ort Group Create Create Create

Delete Delete Delete
Da tastore Allocate space Allocate space Allocate space

Browse datastore Browse datastore Browse datastore
Low-level file Configure datastore (if Configure datastore (if
operations you restore to vSAN you restore to vSAN
Remove file datastore) datastore)
Low-level file operations Low-level file operations
Remove file Remove file
Fold er Create folder Create folder Create folder

vSp here Tagging Assign or Unassign Assign or Unassign Assign or Unassign

vSphere Tag vSphere Tag vSphere Tag
Network Assign network Assign network Assign network

Configure Configure Configure
Resource Assign virtual Assign virtual machine to Assign virtual machine to

machine to resource resource pool resource pool
pool
P rofile-driven storage Profile-driven Profile-driven storage Profile-driven storage

storage update update update
Profile-driven Profile-driven storage Profile-driven storage
storage view view view
vAp p Add virtual machine Add virtual machine Add virtual machine
Assign resource pool Assign resource pool Assign resource pool
Unregister Unregister Unregister


Mod e
Virtual Cha nge Acquire disk lease Add existing disk Add existing disk
Ma chine Configuration Add existing disk Add new disk Add new disk
Add new disk Advanced configuration Advanced configuration
Advanced Change Settings Change Settings
configuration Modify device settings Modify device settings
Change Settings Remove disk Remove disk
Modify device Toggle disk change Toggle disk change
settings tracking tracking
Remove disk
Toggle disk change
tracking
E d it Inventory Register Create Create

Remove Register Register
Remove Remove
Interaction Connect devices Connect devices Connect devices

Power Off Power Off Power Off
Power On Power On Power On
P rovisioning Allow disk access Allow disk access Allow disk access
Allow read-only disk Allow read-only disk Allow read-only disk
access access access
Allow virtual Allow virtual machine Allow virtual machine
machine download download download
Allow virtual Allow virtual machine Allow virtual machine
machine files upload files upload files upload
Mark as template* Mark as template* Mark as template*
Mark as virtual Mark as virtual machine* Mark as virtual machine*
machine*

Revert to snapshot Revert to snapshot Revert to snapshot
* required for template restore

File-level Restore
File-level Restore (Windows)
Below are vCenter Server granular permissions required for file-level restore of a Windows VM:
Virtual Machine Guest operations Guest operation modifications

File-level Restore (Other guest)

Below are vCenter Server granular permissions required for file-level restore of a non-Windows VM:

Global Log event
Host Configuration Storage partition configuration

Configure
Virtual Machine Cha nge Configuration Modify device settings

Change Settings

Power On
Unregister

vSphere Web Client Plug-in for Veeam
Backup & Replication
Below are vCenter Server granular permissions required for installation and uninstallation of vSphere Web Client
plug-in for Veeam Backup & Replication:
E x tension Register extension

Unregister extension

Veeam Backup 11 0 Permissions

Uploaded by

Copyright:

Available Formats

Veeam Backup 11 0 Permissions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Veeam Backup 11 0 Permissions

Uploaded by

Copyright:

Available Formats

Veeam Backup & Replication

2 | V eeam Backup & Replication | Required Permissions for VMware vSphere

3 | V eeam Backup & Replication | Required Permissions for VMware vSphere

• Full documentation set: www.veeam.com/documentation-guides-datasheets.html

• Veeam R&D Forums at forums.veeam.com

4 | V eeam Backup & Replication | Required Permissions for VMware vSphere

5 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Account Required P ermissions

Ta rget/Source Host Linux host: root or equivalent permissions

Target folder and share: write permissions

ESXi server: root permissions

vCenter: administrative or granular* permissions

6 | V eeam Backup & Replication | Required Permissions for VMware vSphere

7 | V eeam Backup & Replication | Required Permissions for VMware vSphere

P rivilege Level Cumulative Permissions

Cryptographic operations Add disk

d vP ort Group Create

Da tastore Allocate space

E x tension Register extension

Fold er Create folder

Global Disable methods

8 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Host Configuration Advanced settings

vSp here Tagging Assign or Unassign vSphere Tag

Network Assign network

Resource Assign virtual machine to resource pool

Da tastore cluster Configure a datastore cluster

P rofile-driven storage Profile-driven storage update

vAp p Add virtual machine

Virtual Machine Cha nge Configuration Acquire disk lease

9 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Guest operations Guest operation modifications

Interaction Configure CD media

P rovisioning Allow disk access

Sna pshot Management Create snapshot

10 | V eeam Backup & Replication | Required Permissions for VMware vSphere

P rivilege Level Required P ermissions

Direct SAN Access Virtual Appliance Mode Network Mode

Da tastore Low-level file Low-level file operations Low-level file

Global Disable methods Disable methods Disable methods

Da tastore cluster Configure a datastore Configure a datastore Configure a datastore

Guest Guest operation Guest operation Guest operation

Interaction Guest operating Guest operating system Guest operating

11 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Direct SAN Access Virtual Appliance Mode Network Mode

Sna pshot Create snapshot Create snapshot Create snapshot

12 | V eeam Backup & Replication | Required Permissions for VMware vSphere

P rivilege Level Required P ermissions

Direct SAN Access Virtual Appliance Mode Network Mode

Da tastore Allocate space Allocate space Allocate space

Global Disable methods Disable methods Disable methods

Network Assign network Assign network Assign network

Da tastore cluster Configure a datastore Configure a datastore Configure a datastore

P rofile-driven storage Profile-driven storage Profile-driven storage Profile-driven storage

13 | V eeam Backup & Replication | Required Permissions for VMware vSphere

Direct SAN Access Virtual Appliance Mode Network Mode

E d it Inventory Register Register Register

Guest Guest operation Guest operation Guest operation

Interaction Connect devices Connect devices Connect devices