To perform Veeam Backup & Replication operations, you can add users or user groups and assign to them one of the following Veeam Backup & Replication roles:
Veeam Backup Administrator
Can perform all administrative activities in Veeam Backup & Replication. Note that with the Veeam Backup & Replication console, Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure.
Veeam Restore Operator
Can perform restore operations using existing backups and replicas. However, Veeam Restore Operator cannot migrate a recovered VM to the production environment during Instant Recovery.
Consider the following:
Veeam Backup Operator
Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups.
Veeam Backup Viewer
Has the “read-only” access to Veeam Backup & Replication. Can view a list of existing jobs and review the job session details.
Veeam Tape Operator
Can manage tapes and perform the following operations: library/server rescan, tape eject, tape export, tape import, tape mark as free, tape move to media pool, tape erase, tape catalog, tape inventory, set tape password, tape copy, tape verification, start and stop tape backup jobs.
A role assigned to the user defines the user activity scope: what operations in Veeam Backup & Replication the user can perform. Role security settings affect the following operations:
- Starting and stopping jobs
- Performing restore operations
You can assign several roles to the same user. For example, if the user must be able to start jobs and perform restore operations, you can assign the Veeam Backup Operator and Veeam Restore Operator roles to this user.
Requirements and Limitations
Consider the following:
- Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access to Veeam Backup & Replication, even if you exclude them from all Veeam Backup & Replication roles. If you delete the Administrators group from the Veeam Backup & Replication roles, the users who are added to this group will still have access to Veeam Backup & Replication.
To protect administrator accounts from being compromised, it is strongly recommended to enable multi-factor authentication (MFA). In that case, even users with administrator privileges must pass the additional verification. For more information, see Multi-Factor Authentication.
- The user account under which the Veeam Backup Service runs must have the Veeam Backup Administrator role. By default, during installation the Veeam Backup Administrator role is assigned to users in the Administrators group. If you change the default settings, make sure that you assign the Veeam Backup Administrator role to the necessary user account. It is recommended to assign the Veeam Backup Administrator role to the user account explicitly rather than the group to which the user belongs.
If you enable multi-factor authentication (MFA), note that Veeam Backup & Replication services must run under the service account with disabled MFA. For more information, see Disabling MFA for Service Accounts.
To add a user or a user group:
- From the main menu, select Users and Roles > Security.
- Click Add.
- In the User or group field, enter a name of a user or user group in the DOMAIN\USERNAME format.
- From the Role list, select the necessary role to be assigned.
- Click OK.
To reduce the number of user sessions opened for a long time, you can set the idle timeout to automatically log off users. To do this, select the Enable auto logoff after <number> min of inactivity check box and set the number of minutes.
To use additional user verification, you can enable multi-factor authentication. For more information, see Multi-Factor Authentication.