User Privileges for Arcserve UDP Functions

The following table describes the user privileges for Arcserve UDP functions:

Functions User Privilege Comments

Installation

Local administrators group

Local administrators group

 

Console and Gateway

Local administrators group

Local administrators group

 

Recovery Point Server

Local administrators group

Local administrators group

 

Windows Client Backup

Local administrators group

Local administrators group

Security Policies:

  • Act as part of operating system

  • Log on locally

  • Log on as a service

  • Log on as Batch Job

 

Many backup-related operations like VSS snapshot requires admin privilege.

Network Share for non-dedupe data store

If RPS UAC is enabled, domain account or built-in administrator.

    

SQL log truncation

Local administrators group

Local administrator with SQL sysadmin, or db_owner fixed database role.

Log truncation requires query backup database, back log, and query shrink (shrink DB).

Exchange log truncation

Domain administrators group

Domain administrators group

Need to have access to exchange DB

Active Directory protection

Domain administrators group

Domain administrators group

  

Windows Client Restore

     

Network Share for non-dedupe data store

If RPS UAC is enabled, domain account or built-in administrator.

    

SQL

Local administrators group

Local admin with SQL sysadmin, or db_owner fixed database role.

  

Exchange

Domain administrators group

Domain administrators group

Need to have access to Exchange DB

Active Directory

Domain administrators group

Domain administrators group

  

Exchange Granular Restore Utility

Restoring to mailbox: the account used to restore should have impersonate privilege on the target mailbox. For other restore options, the account does not need special requirement.

Restoring to mailbox: the account which is used to restore should have impersonate privilege on the target mailbox. For other restore options, there is no special requirement on the account.

  

Host-based Agentless Backup

     

Add VM node from vCenter/ESXi

  • vCenter: built-in administrator

  • ESXi: root

 

  

For vCenter, if non-built-in administrator is used, refer to link.

Add VM node from Hyper-V

  • Standalone Hyper-V: built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group

  • Hyper-V cluster: built-in domain administrator or domain account which is member of the local Administrators group.

  

If other administrative account is used, UAC remote access needs to be disabled. Refer to

link.

Switch VMware Snapshot Quiescing Method in plan

Built-in local administrator or built-in domain administrator

Note: Required credentials here are set by Update Node

  

If other administrative account is used, UAC needs to be disabled. Refer to

link.

Application DB level restore for Hyper-V VM

Built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group

Notes:

  • Required credentials here are set by Update Node

  • If VM guest OS is client version Windows (such as Windows 10), need to manually configure firewall to allow Windows Management Instrumentation(WMI)

  

If other administrative account is used, UAC remote access needs to be disabled. Refer to

link.

PFC

  • VMware VM: built-in local administrator or built-in domain administrator

  • Hyper-V VM: built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group

Notes:

  • Required credentials here are set by Update Node

  • For Hyper-V VM, if VM guest OS is client version Windows (like Windows 10), need to manually configure firewall to allow Windows Management Instrumentation (WMI)

  

If other administrative account is used:

  • For VMware VM, UAC needs to be disabled. See link.

  • For Hyper-V VM, UAC remote access needs to be disabled. See link.

Pre / Post Command

  • VMware VM: built-in local administrator or built-in domain administrator

  • Hyper-V VM: built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group

Notes:

  • Required credentials here are set by Update Node and on the Advanced tab of a Plan.

  • For Hyper-V VM, if VM guest OS is client version Windows (like Windows 10), need to manually configure firewall to allow Windows Management Instrumentation (WMI)

  

For the usage of the credentials that are set by Update Node and on the Advanced tab of a Plan, refer to link.

SQL log truncation

Same as Pre / Post Command

  

Same as Pre / Post Command

Exchange log truncation

Same as Pre / Post Command

  

Same as Pre / Post Command

File-level restore to original location

Built-in local administrator, built-in domain administrator, or domain account which is member of the local Administrators group

Notes:

  • Required credentials here are set by Update Node

  • For Hyper-V VM, if VM guest OS is client version Windows (like Windows 10), need to manually configure firewall to allow Windows Management Instrumentation (WMI)

  

If other administrative account is used, UAC remote access needs to be disabled as per link.

Virtual StandBy

     

For Hyper-V

  • Built-in local administrator

  • Built-in domain administrator

  • Domain account which is member of the local Administrators group

  • Local account which is member of the local Administrator group

Local administrators group

If local administrative account is used, UAC remote access needs to be disabled. See link.

For VMware

  • vCenter: built-in administrator

  • ESXi: root

  

For vCenter, if non-built-in administrator is used, refer to link.

Instant Virtual Machine/Assured Recovery

     

For Hyper-V

  • Built-in local administrator

  • Built-in domain administrator

  • Domain account which is member of the local Administrators group

  • Local account which is member of the local Administrator group

  

If local administrative account is used, UAC remote access needs to be disabled. See link.

For VMware

  • vCenter: built-in administrator

  • ESXi: root

Local administrators group

For vCenter, if non-built-in administrator is used, refer to link.

File Copy & Archive

Local administrators group

Local administrators group

 

Copy Recovery Point to Cloud

Local administrators group

Local administrators group

 

UNC Path protection

Any user could login and be impersonated

Read permission to the UNC Path

 

Exchange Online protection

Any Exchange Online account

Has Application Impersonation privilege on the protected accounts

 

Virtual StandBy to AWS EC2

The Amazon IAM users who have the required permissions to interaction with AWS API

 

For AWS EC2, refer to this link.

Virtual StandBy to Microsoft Azure

Application

Contributor role of selected subscription

 

Linux

     

Install

root

Read, Write, Execution

  

Console registration

console admin

    

Agent-based Backup

      

-Network Share

  
 

storage administrator

Read, Write

  

--Node Connection

root/non-root/sudo

Read, Write, Execution

  

File Level Restore

      

-Network Share

storage administrator

Read, Write

  

--Node Connection

root/non-root/sudo

Read, Write, Execution

root user can restore to anywhere; other users can restore only to their owned directories

BMR

  

Access information to hardware

  

Migration BMR

      

Instant VM for Hyper-V

      

Instant VM for VMware

      

Instant VM to Amazon EC2

IAM User

Full Access of EC2

 

Instant VM to Microsoft Azure

Application

Contributor role of selected subscription

 

SharePoint Online protection

SharePoint Online Site Collection Administrator SharePoint Online Site Collection Administrator