Configuring Users

To perform Veeam Backup & Replication operations, you can add users or user groups and assign to them one of the following Veeam Backup & Replication roles:

Role

Operations

Veeam Backup Administrator

Can perform all administrative activities in Veeam Backup & Replication. Note that with the Veeam Backup & Replication console, Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure.

Veeam Security Administrator

Can perform the following operations:

  • Add, edit and delete all types of credential records supported by Veeam Backup & Replication. For more details, see Managing Credentials.
  • Manage Security & Compliance Analyzer: run a security check, configure scan scheduling, exclude parameters from the checklist. For more details, see Security & Compliance Analyzer.
  • Approve four-eyes authorization requests. For more details, see Four-Eyes Authorization.

Incident API Operator

Can perform Veeam Backup & Replication REST API requests to manage malware detection events only. For more details, see Malware Detection group of methods in the Veeam Backup & Replication REST API Reference.

Incident API Operators do not have access to the Veeam Backup & Replication console. They interact only with Veeam Backup & Replication REST API and thus do not support multi-factor authentication. Make sure that multi-factor authentication is disabled for the user you add as Incident API Operator. For more details, see Disabling MFA for Service Accounts.

Veeam Restore Operator

Can perform restore operations using existing backups and replicas. However, Veeam Restore Operator cannot migrate a recovered VM to the production environment during Instant Recovery.

Consider the following:

  • Veeam Restore Operators can restore data from any backups. That enables them to restore disks and files with specially crafted malicious content. This opens an opportunity for insider attacks, including but not limited to privilege escalation leading to the entire system takeover. Because of this possibility, the Veeam Restore Operator role should be treated as a sensitive role similar to Veeam Backup Administrators.
  • During restore, Veeam Restore Operator can overwrite existing instances: VMs during VM restore, disks during disk restore and files during file-level restore.

Veeam Backup Operator

Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups.

Veeam Backup Viewer

Has the “read-only” access to Veeam Backup & Replication. Can view a list of existing jobs and review the job session details.

Veeam Tape Operator

Can manage tapes and perform the following operations: library/server rescan, tape eject, tape export, tape import, tape mark as free, tape move to media pool, tape erase, tape catalog, tape inventory, set tape password, tape copy, tape verification, start and stop tape backup jobs.

A role assigned to the user defines the user activity scope: what operations in Veeam Backup & Replication the user can perform. Role security settings affect the following operations:

  • Starting and stopping jobs
  • Performing restore operations

You can assign several roles to the same user. For example, if the user must be able to start jobs and perform restore operations, you can assign the Veeam Backup Operator and Veeam Restore Operator roles to this user.

Requirements and Limitations

Consider the following:

  • For security reasons, the account used to run Veeam services should be a LocalSystem account. If a Veeam service runs under a user account other than LocalSystem, this user will have full access to Veeam Backup & Replication even if they are not specified in the Users and Roles > Security settings.
  • The user account under which the Veeam Backup Service runs must have the Veeam Backup Administrator role. By default, during installation the Veeam Backup Administrator role is assigned to all members of the Administrators group on the machine where Veeam Backup & Replication is installed.

If you change the default settings, make sure that you assign the Veeam Backup Administrator role to the necessary user account. It is recommended to assign the Veeam Backup Administrator role to the user account explicitly rather than the group to which the user belongs.

  • If multi-factor authentication (MFA) is disabled:
    • Built-in administrator accounts (Domain\Administrator and Machine\Administrator) have full access to Veeam Backup & Replication.
    • Local and domain members of the Administrators group will still have full access to Veeam Backup & Replication even if you delete this group in the Users and Roles > Security settings.

To protect administrator accounts from being compromised, it is strongly recommended to enable multi-factor authentication. In that case, even users with administrator privileges must pass the additional verification. For more information, see Multi-Factor Authentication.

  • If multi-factor authentication (MFA) is enabled:
    • All users including built-in administrator accounts (Domain\Administrator and Machine\Administrator) must pass the additional verification.
    • Local and domain members of the Administrators group will not have access to Veeam Backup & Replication if these users are not specified in the Users and Roles > Security settings.

Adding Users

To add a user or a user group:

  1. From the main menu, select Users and Roles > Security.
  2. Click Add.
  3. In the User or group field, enter a name of a user or user group in the DOMAIN\USERNAME format.
  4. From the Role list, select the necessary role to be assigned.
  5. Click OK.

To reduce the number of user sessions opened for a long time, you can set the idle timeout to automatically log off users. To do this, select the Enable auto logoff after <number> min of inactivity check box and set the number of minutes.

To use additional user verification, you can enable multi-factor authentication. For more information, see Multi-Factor Authentication.

Configuring Users 

Page updated 9/26/2024

Page content applies to build 12.3.0.310