Veeam Backup Enterprise Manager implements security by limiting access to web management website features and data, based on user roles. This empowers administrators to delegate permissions in a very granular way, on an as-needed basis, to the individuals who will complete the restore process. It is possible, for example, to delegate permissions to recover files without actually being able to see the contents of the files.
Note: |
For setting up self-service recovery delegation scope, consider that reverse DNS lookup on Veeam Backup Enterprise Manager server must be functional. |
To be able to log in to the Veeam Backup Enterprise Manager website, a user must have the Portal Administrator, Restore Operator or Portal User role assigned.
- Users with the Portal Administrator role have full access to all administrative functions and configuration settings; they can browse, search and restore all VMs and files.
- The Configuration area is not accessible to Restore Operators and Portal Users.
- Users with the Portal User or Restore Operator role can access their restore scope — a list of VMs that can be recovered by appropriate personnel. For example, database administrators can restore database servers (SQL, Oracle, or other) — this is their restore scope; Exchange administrators’ restore scope will include Exchange server VM, and so on. Depending on their role configuration, non-administrative users can access the VMs and/or Files tab of Enterprise Manager web site.
Important! |
Restore scope (list of available VMs) can be customized if you have Enterprise Plus edition of Veeam Backup & Replication; in other editions, this list includes all VMs and cannot be customized. However, you can delegate recovery of entire VMs, guest files, or selected file types. Possible delegation options are described later in the Restrictions for Delegated Restore section. |
- Users with Restore Operator role can access VMs from their restore scope in VMs and/or Files tab and perform restore operations as permitted by their settings.
- Users with Portal User role can access VMs from their restore scope in VMs and/or Files tab, as well as reports for these VMs; they also can perform restore operations as permitted by their settings.
Note: |
By default, the Portal Administrator role is assigned to users listed in the local Administrators group and the user who installed Veeam Backup Enterprise Manager. |
To specify security settings for a user or a group of users:
- Open the Configuration tab.
- Open the Roles section on the left of the Configuration view.
- Click Add on the toolbar.
- In the Account type field, select the type of account you want to add: User or Group.
- In the Account field, specify the user account in the DOMAIN\Username format.
- From the Role list, select the necessary portal role to be assigned: Portal User, Portal Administrator or Restore Operator.
Note: |
To be able to assign any of these roles to Active Directory domain users and/or groups, make sure that Veeam Backup Enterprise Manager service account has sufficient rights to enumerate Active Directory domains. (By default, Active Directory users have enough rights to enumerate Active Directory domains.) |
You can allow a new user to restore entire virtual machines and/or guest files only; you can also specify the Restore scope for this account, as described in the section below.
To edit settings of an added user or group, select it in the list of roles and click Edit on the toolbar. Then edit user or group settings as required.
To delete an added user or group, select it in the list and click Remove on the toolbar.