Access Permissions

If you want to store in the backup repository backups of virtual and physical machines created by Veeam Backup & Replication additional solutions, for example, Veeam Agent for Microsoft Windows, Veeam Agent for Linux, Veeam Plug-ins for Enterprise Applications and so on, you must set up access permissions to backup repositories.

Access permissions are granted to security principals such as users and AD groups by the backup administrator who works with Veeam Backup & Replication. Users with granted access permissions can target backup jobs created by additional solutions at this backup repository and perform restore from backups located in this backup repository.

Note

If you plan to create backups in a Veeam backup repository with Veeam Agent backup jobs configured in Veeam Backup & Replication, you do not need to grant access permissions on the backup repository to users. In the Veeam Agent management scenario, to establish a connection between the backup server and protected computers, Veeam Backup & Replication uses a TLS certificate. To learn more, see the Configuring Security Settings section in the Veeam Agent Management Guide.

If you plan to create backups in a Veeam backup repository with Veeam Backup for Nutanix AHV, you do not need to grant access permissions when configuring repositories, you must do that when configuring Nutanix AHV backup appliances.

Right after installation, access permissions on the default backup repository are set to Allow to everyone for testing and evaluation purposes. If necessary, you can change these settings.

After you create a new backup repository, access permissions on this repository are set to Deny to everyone. To allow users to store backups in the backup repository, you must grant users with access permissions to this repository.

Managing Permissions of Backup Repositories

To grant access permissions to a security principal:

  1. In Veeam Backup & Replication, open the Backup Infrastructure view.
  2. In the inventory pane, click one of the following nodes:
  1. In the working area, select the necessary backup repository and click Set Access Permissions on the ribbon or right-click the backup repository and select Access permissions. If you do not see the Set Access Permissions button on the ribbon or the Access permissions command is not available in the shortcut menu, press and hold the [Ctrl] key, right-click the backup repository and select Access permissions.

Access Permissions 

  1. In the Standalone applications window, specify to whom you want to grant access permissions on this backup repository:
  1. [For Veeam Backup for Nutanix AHV and Veeam Agents operating in the standalone mode ] To encrypt backup files, select the Encrypt backups stored in this repository check box and choose the necessary password from the field under the check box. If you have not specified a password beforehand, click Add on the right or the Manage passwords link to add a new password.

Note

If you want to encrypt backup files created by Veeam Agents operating in the managed mode, you must configure encryption in the backup job settings. For example, to learn how to encrypt backup files created by managed Veeam Agent for Microsoft Windows, see the Storage Settings section in the Veeam Agent Management Guide.

Veeam Backup & Replication encrypts files at the backup repository side using its built-in encryption mechanism in the following way:

Backup Repository

Storage-Level Encryption

Microsoft Windows/Linux-based repository

If you select the Encrypt backups stored in this repository check box, backup data will be encrypted after being uploaded to the backup repository.

NFS file share

SMB (CIFS) file share

NAS file share

External repository

Object storage repository

Object storage repository added as Performance or Archive Tier

Object storage repository added as Capacity Tier

If you use capacity tier encryption and select the Encrypt backups stored in this repository check box, already encrypted backup data will be encrypted again before being uploaded to the capacity tier.

Deduplicating storage appliance

If you use deduplicating storage appliance encryption and select the Encrypt backups stored in this repository check box, backup data will be encrypted twice: after being uploaded to the deduplicating storage appliance and again by the deduplicating storage appliance itself.

Note that data encryption has a negative effect on the deduplication ratio. If you want to achieve a higher deduplication ratio, use only deduplicating storage appliance encryption. For more details, see Data Encryption and Deduplication.

Access Permissions 

Managing Permissions for S3 Compatible Object Storage

If you plan to use S3 compatible object storage as an object storage repository, you must set up access permissions to the object storage. These permissions are used if you keep in object storage repositories backups created by Veeam Agent or by Veeam Cloud Connect tenant. For more information, see Backup to Object Storage in the Veeam Agent Management Guide and Backup to Object Storage in the Veeam Cloud Connect Guide.

To manage permissions for S3 compatible object storage, perform the following:

  1. In Veeam Backup & Replication, open the Backup Infrastructure view.
  1. In the inventory pane, click the Backup Repositories node.
  1. In the working area, select the necessary S3 compatible backup repository and click Set Access Permissions on the ribbon or right-click the backup repository and select Access permissions. If you do not see the Set Access Permissions button on the ribbon or the Access permissions command is not available in the shortcut menu, press and hold the [Ctrl] key, right-click the backup repository and select Access permissions.
  2. On the Security tab, specify how Veeam Agent or a SP will access an S3 compatible object storage repository:
  • Agents share credentials to object storage repository — use this option if you want directly access the S3 compatible object storage repository. In this case, Veeam Agent will use credentials that you specified when added the S3 compatible object storage repository to the backup infrastructure.

Important

This option is not secure since Veeam Backup & Replication will have access permissions on the bucket where you keep your folders with backups.

  • Provided by the backup server — use this option if you want to access the S3 compatible object storage repository through a gateway server.
  • Provided by IAM/STS object storage capabilities — use this option if you want directly access the S3 compatible object storage repository. In this case, Veeam Backup & Replication will create service tokens that Veeam Agent or a SP will use to access the S3 compatible object storage repository.

To specify credentials, do the following:

  1. In the Identity and access management (IAM) endpoint field, specify the endpoint of your S3 compatible object storage repository.
  1. In the Security token service (STS) endpoint field, specify the security token.

Access Permissions 

Page updated 5/17/2024

Page content applies to build 12.1.2.172