User Privileges for Arcserve UDP Functions
The following table describes the user privileges for Arcserve UDP functions:
| Functions | User | Privilege | Comments | |||
|
Installation |
Local administrators group |
Local administrators group |
||||
|
Console and Gateway |
Local administrators group |
Local administrators group |
||||
|
Recovery Point Server |
Local administrators group |
Local administrators group |
||||
|
Windows Client Backup |
Local administrators group |
Local administrators group Security Policies:
|
Many backup-related operations like VSS snapshot requires admin privilege. |
|||
|
Network Share for non-dedupe data store |
If RPS UAC is enabled, domain account or built-in administrator. |
|||||
|
SQL log truncation |
Local administrators group |
Local administrator with SQL sysadmin, or db_owner fixed database role. |
Log truncation requires query backup database, back log, and query shrink (shrink DB). |
|||
|
Exchange log truncation |
Domain administrators group |
Domain administrators group |
Need to have access to exchange DB |
|||
|
Active Directory protection |
Domain administrators group |
Domain administrators group |
||||
|
Windows Client Restore |
||||||
|
Network Share for non-dedupe data store |
If RPS UAC is enabled, domain account or built-in administrator. |
|||||
|
SQL |
Local administrators group |
Local admin with SQL sysadmin, or db_owner fixed database role. |
||||
|
Exchange |
Domain administrators group |
Domain administrators group |
Need to have access to Exchange DB |
|||
|
Active Directory |
Domain administrators group |
Domain administrators group |
||||
|
Exchange Granular Restore Utility |
Restoring to mailbox: the account used to restore should have impersonate privilege on the target mailbox. For other restore options, the account does not need special requirement. |
Restoring to mailbox: the account which is used to restore should have impersonate privilege on the target mailbox. For other restore options, there is no special requirement on the account. |
||||
|
Host-based Agentless Backup |
||||||
|
Add VM node from vCenter/ESXi |
|
For vCenter, if non-built-in administrator is used, refer to link. |
||||
|
Add VM node from Nutanix AHV |
Cluster Admin or User Admin |
Cluster Admin or User Admin |
||||
|
Add VM node from Hyper-V |
|
If other administrative account is used, UAC remote access needs to be disabled. Refer to link. |
||||
|
Switch VMware Snapshot Quiescing Method in plan |
Built-in local administrator or built-in domain administrator Note: Required credentials here are set by Update Node |
If other administrative account is used, UAC needs to be disabled. Refer to link. |
||||
|
Application DB level restore for Hyper-V VM/Nutanix VM |
Built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group Notes:
|
If other administrative account is used, UAC remote access needs to be disabled. Refer to link. |
||||
|
PFC |
Notes:
|
If other administrative account is used:
|
||||
|
Pre / Post Command |
Notes:
|
For the usage of the credentials that are set by Update Node and on the Advanced tab of a Plan, refer to link. |
||||
|
SQL log truncation |
Same as Pre / Post Command |
Same as Pre / Post Command |
||||
|
Exchange log truncation |
Same as Pre / Post Command |
Same as Pre / Post Command |
||||
|
File-level restore to original location |
Built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group Notes:
|
If other administrative account is used, UAC remote access needs to be disabled as per link. |
||||
|
Virtual StandBy |
||||||
|
For Hyper-V |
|
Local administrators group |
If local administrative account is used, UAC remote access needs to be disabled. See link. |
|||
|
For Nutanix |
Cluster Admin |
Cluster Admin |
||||
|
For VMware |
|
For vCenter, if non-built-in administrator is used, refer to link. |
||||
|
Instant Virtual Machine/Assured Recovery |
||||||
|
For Hyper-V |
|
If local administrative account is used, UAC remote access needs to be disabled. See link. |
||||
|
For VMware |
|
Local administrators group |
For vCenter, if non-built-in administrator is used, refer to link. |
|||
|
File Copy & Archive |
Local administrators group |
Local administrators group |
||||
|
Copy Recovery Point to Cloud |
Local administrators group |
Local administrators group |
||||
|
UNC/NFS Path protection |
Any user could login and be impersonated |
Read permission to the UNC/NFS Path |
||||
|
Virtual StandBy to AWS EC2 |
The Amazon IAM users who have the required permissions to interaction with AWS API |
For AWS EC2, refer to this link. |
||||
|
Virtual StandBy to Microsoft Azure |
Application |
Contributor role of selected subscription |
||||
|
Linux |
||||||
|
Install |
root |
Read, Write, Execution |
||||
|
Console registration |
console admin |
|||||
|
Agent-based Backup |
||||||
|
storage administrator |
Read, Write |
||||
|
--Node Connection |
root/non-root/sudo |
Read, Write, Execution |
||||
|
File Level Restore |
||||||
|
-Network Share |
storage administrator |
Read, Write |
||||
|
--Node Connection |
root/non-root/sudo |
Read, Write, Execution |
root user can restore to anywhere; other users can restore only to their owned directories |
|||
|
BMR |
Access information to hardware |
|||||
|
Migration BMR |
||||||
|
Instant VM for Hyper-V |
||||||
|
Instant VM for VMware |
||||||
|
Instant VM for Nutanix AHV |
cluster admin |
cluster admin | ||||
|
Instant VM to Amazon EC2 |
IAM User |
Full Access of EC2 |
||||
|
Instant VM to Microsoft Azure |
Application |
Contributor role of selected subscription |
||||
|
Exchange Online protection |
Any Exchange Online account |
Has Application Impersonation privilege on the protected accounts |
||||
|
SharePoint Online protection |
SharePoint Online Site Collection Administrator | SharePoint Online Site Collection Administrator | ||||
| OneDrive |
Azure Active Directory Administrators |
Azure Active Directory Administrators |