Configuring Users
To perform Veeam Backup & Replication operations, you can add users and user groups with the following roles:
Role | Operations |
|---|---|
Veeam Backup Administrator | Can perform all administrative activities in the Veeam Backup & Replication console. Note that Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure. |
Veeam Security Administrator | Can perform the following operations:
|
Incident API Operator | Can perform Veeam Backup & Replication REST API requests to manage malware detection events. For more details, see the Malware Detection section in the Veeam Backup & Replication REST API Reference. Incident API Operators do not have access to the Veeam Backup & Replication console. Since they interact only with Veeam Backup & Replication REST API, make sure that multi-factor authentication is disabled for the user you add as Incident API Operator. For more details, see Disabling MFA for Service Accounts. |
Veeam Restore Operator | Can perform restore operations using existing backups and replicas. Consider the following:
|
Veeam Backup Operator | Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups. |
Veeam Backup Viewer | Has the read-only access to the Veeam Backup & Replication console. Can view a list of existing jobs and review the job session details. |
Veeam Tape Operator | Can manage tapes and perform the following operations:
|
You can assign several roles to the same user. For example, if you want a user to start jobs and perform restore operations, you can assign both the Veeam Backup Operator and Veeam Restore Operator roles to this user.
Requirements and Limitations
When you configure users, consider the following requirements and limitations:
- For security reasons, the account used to run Veeam services should be a LocalSystem account. If a Veeam service runs under a user account other than LocalSystem, this user will have full access to the Veeam Backup & Replication console even if they are not specified in the Users and Roles > Security settings.
- The user account under which the Veeam Backup Service runs must have the Veeam Backup Administrator role. By default, during installation the Veeam Backup Administrator role is assigned to all members of the Administrators group on the machine where Veeam Backup & Replication is installed.
If you change the default settings, make sure that you assign the Veeam Backup Administrator role to the necessary user account. It is recommended to assign the Veeam Backup Administrator role to the user account explicitly rather than the group to which the user belongs.
- If multi-factor authentication (MFA) is disabled, consider the following:
- Built-in administrator accounts (Domain\Administrator and Machine\Administrator) will have full access to the Veeam Backup & Replication console.
- Local and domain members of the Administrators group will still have full access to Veeam Backup & Replication even if you delete this group in the Users and Roles > Security settings.
To protect administrator accounts from being compromised, it is strongly recommended to enable multi-factor authentication. In that case, even users with administrator privileges must pass the additional verification. For more information, see Multi-Factor Authentication.
- If multi-factor authentication (MFA) is enabled, consider the following:
- All users including built-in administrator accounts (Domain\Administrator and Machine\Administrator) must pass the additional verification.
- If you do not add a local or domain member of the Administrators group in the Users and Roles > Security settings, this user will not have access to the Veeam Backup & Replication console.
- If you add a local or domain member of the Administrators group in the Users and Roles > Security settings, this user will have full access to the Veeam Backup & Replication console regardless of the assigned role.
- If a Veeam service runs under a user account other than LocalSystem, you must disable MFA for this account. For more information, see Disabling MFA for Service Accounts.
Adding Users
To add a user or user group:
- From the main menu, select Users and Roles > Security.
- Click Add.
- In the User or group field, enter the name of a user or user group in the DOMAIN\USERNAME format.
- From the Role list, select the necessary role to be assigned.
- Click OK.
To reduce the number of user sessions opened for a long time, you can set the idle timeout to automatically log off users. To do this, select the Enable auto logoff after <number> min of inactivity check box and set the number of minutes.
To use additional user verification, you can enable multi-factor authentication. For more information, see Multi-Factor Authentication.
Editing Users
To edit a user or user group:
- From the main menu, select Users and Roles > Security.
- Select a user or user group.
- Click Edit.
- In the Edit window, you can do the following:
- Select a new role to be assigned to the account.
- Disable multi-factor authentication for the account. For more information, see Disabling MFA for Service Accounts.
- Click OK.
Removing Users
To remove a user or user group:
- From the main menu, select Users and Roles > Security.
- Select a user or user group.
- Click Remove.