Granting Permissions to Users
When you install Veeam Plug-in for Microsoft SQL Server, full access rights to the plug-in configuration file are automatically granted to all users. To protect sensitive information that is stored in the Veeam Plug-in configuration file from unwanted access, we recommend limiting access to the Veeam Plug-in configuration file to a dedicated group of users.
By default, the Veeam Plug-in configuration file (veeam_config.xml) is located in the %PROGRAMFILES%\Veeam\Plugins\Microsoft SQL\ folder on the machine where Veeam Plug-in is installed.
Before you create a user group that will have access to the Veeam Plug-in configuration file, consider the following:
- To perform this procedure, the OS user account must have local administrator privileges.
- Add only trusted users to the group.
- After a user is added to the group, they must log out, then log in to the system again to activate the group permissions.
Granting Permissions to the Plug-In Configuration File
- Create a new user group by running the following command:
net localgroup "<groupName>" /comment:"<description>" /add |
where:
- <groupName> — the name of the created group.
- <description> — the description of the group.
- Add a user to the group with the following command:
net localgroup "<groupName>" "<userName>" /add |
where:
- <groupName> — the name of the created group.
- <userName> — the name of the account that will be granted access to the Veeam Plug-in configuration file.
- Create a new access control list (ACL) with Read and Write permissions using this set of commands:
$newACL = New-Object System.Security.AccessControl.FileSecurity #creates a dedicated ACL $newACL.SetAccessRuleProtection($true,$false) #disables inheritance and deletes all inherited permissions $newACL.AddAccessRule( (New-Object System.Security.AccessControl.FileSystemAccessRule("groupName","Read","Allow"))) # allows read $newACL.AddAccessRule( (New-Object System.Security.AccessControl.FileSystemAccessRule("groupName","Write","Allow")))# allows write |
where:
- newACL — the name of the new access control list. You can give any name to this temporary variable.
- <groupName> — the name of the created group.
- Assign ownership of the new ACL to the previously created user group by running the following command:
$newACL.SetOwner([System.Security.Principal.NTAccount]"groupName") #sets owner for the ACL |
where:
- newACL — the name of the new access control list.
- <groupName> — the name of the created group.
- Apply the ACL to the Veeam Plug-in configuration file using this command:
set-acl -Path:<configFilePath> -AclObject:$newACL #apply ACL to the plug-in configuration file |
where:
- <configFilePAth> — the path to the plug-in configuration file. The default path is %PROGRAMFILES%\Veeam\Plugins\Microsoft SQL\veeam_config.xml.
- newACL — the name of the new access control list.