Configuring Users
To perform Veeam Backup & Replication operations, you can add users or user groups and assign to them one of the following Veeam Backup & Replication roles:
Role | Operations |
---|---|
Veeam Backup Administrator | Can perform all administrative activities in Veeam Backup & Replication. Note that with the Veeam Backup & Replication console, Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure. |
Veeam Security Administrator | Can perform the following operations:
|
Incident API Operator | Can perform Veeam Backup & Replication REST API requests to manage malware detection events only. For more details, see Malware Detection group of methods in the Veeam Backup & Replication REST API Reference. Incident API Operators do not have access to the Veeam Backup & Replication console. They interact only with Veeam Backup & Replication REST API and thus do not support multi-factor authentication. Make sure that multi-factor authentication is disabled for the user you add as Incident API Operator. For more details, see Disabling MFA for Service Accounts. |
Veeam Restore Operator | Can perform restore operations using existing backups and replicas. However, Veeam Restore Operator cannot migrate a recovered VM to the production environment during Instant Recovery. Consider the following:
|
Veeam Backup Operator | Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups. |
Veeam Backup Viewer | Has the “read-only” access to Veeam Backup & Replication. Can view a list of existing jobs and review the job session details. |
Veeam Tape Operator | Can manage tapes and perform the following operations: library/server rescan, tape eject, tape export, tape import, tape mark as free, tape move to media pool, tape erase, tape catalog, tape inventory, set tape password, tape copy, tape verification, start and stop tape backup jobs. |
A role assigned to the user defines the user activity scope: what operations in Veeam Backup & Replication the user can perform. Role security settings affect the following operations:
- Starting and stopping jobs
- Performing restore operations
You can assign several roles to the same user. For example, if the user must be able to start jobs and perform restore operations, you can assign the Veeam Backup Operator and Veeam Restore Operator roles to this user.
Requirements and Limitations
Consider the following:
- For security reasons, the account used to run Veeam services should be a LocalSystem account. If a Veeam service runs under a user account other than LocalSystem, this user will have full access to Veeam Backup & Replication even if they are not specified in the Users and Roles > Security settings.
- The user account under which the Veeam Backup Service runs must have the Veeam Backup Administrator role. By default, during installation the Veeam Backup Administrator role is assigned to all members of the Administrators group on the machine where Veeam Backup & Replication is installed.
If you change the default settings, make sure that you assign the Veeam Backup Administrator role to the necessary user account. It is recommended to assign the Veeam Backup Administrator role to the user account explicitly rather than the group to which the user belongs.
- If multi-factor authentication (MFA) is disabled:
- Built-in administrator accounts (Domain\Administrator and Machine\Administrator) have full access to Veeam Backup & Replication.
- Local and domain members of the Administrators group will still have full access to Veeam Backup & Replication even if you delete this group in the Users and Roles > Security settings.
To protect administrator accounts from being compromised, it is strongly recommended to enable multi-factor authentication. In that case, even users with administrator privileges must pass the additional verification. For more information, see Multi-Factor Authentication.
- If multi-factor authentication (MFA) is enabled:
- All users including built-in administrator accounts (Domain\Administrator and Machine\Administrator) must pass the additional verification.
- Local and domain members of the Administrators group will not have access to Veeam Backup & Replication if these users are not specified in the Users and Roles > Security settings.
- If a Veeam service runs under a user account other than LocalSystem, you must disable MFA for this account. For more information, see Disabling MFA for Service Accounts.
Adding Users
To add a user or a user group:
- From the main menu, select Users and Roles > Security.
- Click Add.
- In the User or group field, enter a name of a user or user group in the DOMAIN\USERNAME format.
- From the Role list, select the necessary role to be assigned.
- Click OK.
To reduce the number of user sessions opened for a long time, you can set the idle timeout to automatically log off users. To do this, select the Enable auto logoff after <number> min of inactivity check box and set the number of minutes.
To use additional user verification, you can enable multi-factor authentication. For more information, see Multi-Factor Authentication.