Veeam Backup Enterprise Manager implements security by limiting access to web management website features and data, based on user roles. This empowers administrators to delegate permissions in a very granular way, on an as-needed basis, to the individuals who will complete the restore process. It is possible, for example, to delegate permissions to recover files without actually being able to see the contents of the files.
Note: |
For setting up self-service recovery delegation scope, consider that reverse DNS lookup on Veeam Backup Enterprise Manager server must be functional. |
To be able to log in to the Veeam Backup Enterprise Manager website, a user must have the Portal Administrator, Restore Operator or Portal User role assigned.
Enterprise Manager Role | How is Assigned | Access to Configuration | Allowed Operations |
Portal Administrator | Initially by default - to the users listed in the local Administrators group and the user who installed Veeam Backup Enterprise Manager. By an existing Portal Administrator in the Enterprise Manager > Configuration > Roles | Yes | Full access to all available operations on all tabs of the web UI. |
Portal User | By Portal Administrator in the Enterprise Manager > Configuration > Roles | No |
|
Restore Operator | By Portal Administrator in the Enterprise Manager > Configuration > Roles | No |
|
Users with the Portal User or Restore Operator role can access their restore scope — a list of machines that can be recovered by appropriate personnel. For example, database administrators can restore database servers (SQL, Oracle, or other) — this is their restore scope; Exchange administrators’ restore scope will include Exchange server machines, and so on. Depending on their role configuration, non-administrative users can access the Machines and/or Files tab of Enterprise Manager web site.
Important! |
Restore scope (list of machines a user can recover) can be customized if you have Enterprise Plus edition of Veeam Backup & Replication; in other editions, this list includes all machines and cannot be customized. However, you can delegate recovery of entire machines, guest files, or selected file types. Possible delegation options are described later in the Restrictions for Delegated Restore section. |
Note: |
Consider the following:
This refers to all editions of the product. |
Assigning a Role
To specify security settings for a user or a group of users:
- Open the Configuration tab.
- Open the Roles section on the left of the Configuration view.
- Click Add on the toolbar.
- In the Account type field, select the type of account you want to add: User or Group.
- In the Account field, specify the user account in the DOMAIN\Username format.
- From the Role list, select the necessary portal role to be assigned: Portal User, Portal Administrator or Restore Operator.
Note: |
To be able to assign any of these roles to Active Directory domain users and/or groups, make sure that Veeam Backup Enterprise Manager service account has sufficient rights to enumerate Active Directory domains. (By default, Active Directory users have enough rights to enumerate Active Directory domains.) |
You can allow a new user to restore entire virtual machines and/or guest files only; you can also specify the Restore scope for this account, as described in the section below. As an administrative user, you can refresh all scopes of all accounts manually — for that, click Rebuild roles. Consider that this operation will affect all configured roles.
To edit settings of an added user or group, select it in the list of roles and click Edit on the toolbar. Then edit user or group settings as required.
To delete an added user or group, select it in the list and click Remove on the toolbar.