Starting from Veeam Backup & Replication 12.1 (build 184.108.40.2061), you can enable four-eyes authorization to reduce the risk of accidental actions affecting sensitive data. This functionality uses an additional control mechanism that requires additional approval to particular operations in Veeam Backup & Replication given by another user with the Veeam Backup Administrator role.
Before you enable the feature, make sure that you have at least two users (added to a user group or separate ones) with the Veeam Backup Administrator role assigned.
When enabled, four-eyes authorization is required to perform the following operations:
- Delete backup files or snapshots from the disk or configuration database.
- Delete information about unavailable backups from the configuration database.
- Remove backup repositories, storage, and service providers from the backup infrastructure.
- Perform operations in the Files view:
- Edit, rename and delete files
- Overwrite files
- Rename and delete folders
- Add, update and delete users or user groups.
- Enable and disable multi-factor authentication (MFA) for all users and user groups.
- Reset MFA for a specific user.
- Enable, update and disable automatic logoff for all users and user groups.
Consider that four-eyes authorization cannot protect the backup infrastructure if the Veeam Backup & Replication server is compromised. To build a more secure environment, follow security guidelines. For more details, see General Security Considerations and Securing Backup Infrastructure.
How Four-Eyes Authorization Works
Veeam Backup & Replication supports the following scenario for four-eyes authorization:
- A backup administrator tries to delete backup data or remove a machine from the backup infrastructure.
- The request for additional approval is displayed in the Home view, under the Pending approvals node. All users with the Veeam Backup Administrator role also get email notifications if you configured global email notification settings. For more information, see Configuring Global Email Notification Settings.
- Another backup administrator approves or rejects the request. If there are multiple requests, the backup administrator can approve or reject them simultaneously. All users with the Veeam Backup Administrator role also get email notifications.
The backup administrator that created the request can only reject their own requests.
If no backup administrators process the request till the end of the specific time period (7 days by default), it will be automatically rejected.
Requirements and Limitations
Four-eyes authorization has the following requirements and limitations:
- The functionality is included only in the Veeam Universal License or the Enterprise Plus edition. If the license expires, you will still be able to process already created requests but not to create new ones.
- If four-eyes authorization is enabled, you cannot perform delete operations using PowerShell cmdlets, REST API, and Veeam Backup Enterprise Manager.
- If you try to approve or reject the request and the object that you want to delete is blocked by another operation, for example, by the job session, the operation will not be performed. In this case, you need to process the request later, when the object will not be blocked.
- Immutable backup files cannot be deleted even with the four-eyes authorization enabled.
Enabling Four-Eyes Authorization
To enable four-eyes authorization, perform the following steps:
- Make sure that you have at least two users (added to a user group or separate ones) with the Veeam Backup Administrator role assigned.
- From the main menu, select Users and Roles > Authorization.
- Select the Require additional approval for sensitive operations check box.
- Specify the time period during which the requested operation must be approved or rejected (minimum 1 day, maximum — 30).
To disable four-eyes authorization, you will also need an additional approval from another backup administrator.
Viewing Authorization Events
To view events related to four-eyes authorization, open the History view and select the Authorization Events node. These events include information about:
- Approved and rejected requests
- Updated four-eyes authorization settings
- Updated settings for users and user groups
- Assigned roles
- Added or deleted users and user groups