Account permissions needed for protecting machine?

Good  evening. Forgive me if I missed this in documentation, but I haven't been able to find out what the required permissions for accounts used by Rapid Recovery.

I installed the agent on my Hyper-V cluster hosts, and see that the service runs as "local system". 
My question is about the account used when applying protection to my guests.  Can this be a domain account with "back operators" permissions, or will more permissions be required?  I realize that many people will just run this with a Domain admin account, but I want to ensure that we're operating in an environment of least privilege.