Users and Roles
You can assign one of the following roles to users or groups of users who plan to work with Veeam Backup & Replication:
- Veeam Backup Administrator
- Veeam Restore Operator
Restore Operators can restore data from any backups. That enables them to restore disks and files with specially crafted malicious content. This opens an opportunity for insider attacks, including but not limited to privilege escalation leading to the entire system takeover. Because of this possibility, the Restore Operators role should be treated as a sensitive role similar to Veeam Backup Administrators.
- Veeam Backup Operator
- Veeam Backup Viewer
- Veeam Tape Operator
A role assigned to the user defines the user activity scope: what operations in Veeam Backup & Replication the user can perform. Role security settings affect the following operations:
- Starting and stopping jobs
- Performing restore operations
Users having different roles can perform a different set of operations:
Veeam Backup Administrator
Can perform all administrative activities in Veeam Backup & Replication. Note that with the Veeam Backup & Replication console, Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure.
Veeam Restore Operator
Can perform restore operations using existing backups and replicas. However, Veeam Restore Operator cannot migrate a recovered VM to the production environment during Instant Recovery.
Note that during restore, Veeam Restore Operator can overwrite existing instances: VMs during VM restore, disks during disk restore and files during file-level restore.
Veeam Backup Operator
Can start and stop existing jobs, export backups and create VeeamZip backups.
Veeam Backup Viewer
Has the “read-only” access to Veeam Backup & Replication. Can view a list of existing jobs and review the job session details.
Veeam Tape Operator
Can manage tapes and perform the following operations: library/server rescan, tape eject, tape export, tape import, tape mark as free, tape move to media pool, tape erase, tape catalog, tape inventory, set tape password, tape copy, tape verification, start and stop tape backup jobs.
You can assign several roles to the same user. For example, if the user must be able to start jobs and perform restore operations, you can assign the Veeam Backup Operator and Veeam Restore Operator roles to this user.
Consider the following:
- Built-in administrator accounts (Domain\Administrator and Machine\Administrator) always have full access to Veeam Backup & Replication, even if you exclude them from all Veeam Backup & Replication roles. If you delete the Administrators group from the Veeam Backup & Replication roles, the users who are added to this group will still have access to Veeam Backup & Replication.
To protect administrator accounts from being compromised, it is strongly recommended to enable multi-factor authentication (MFA). In that case, even users with administrator privileges must pass the additional verification. For more information, see Multi-Factor Authentication.
- The user account under which the Veeam Backup Service runs must have the Veeam Backup Administrator role. By default, during installation the Veeam Backup Administrator role is assigned to users in the Administrators group. If you change the default settings, make sure that you assign the Veeam Backup Administrator role to the necessary user account. It is recommended to assign the Veeam Backup Administrator role to the user account explicitly rather than the group to which the user belongs.
If you enable multi-factor authentication (MFA), note that Veeam Backup & Replication services must run under the service account with disabled MFA. For more information, see Disabling MFA for Service Accounts.
To assign a role to the user or user group:
- From the main menu, select Users and Roles.
- Click Add.
- In the User or group field, enter a name of a user or user group in the DOMAIN\USERNAME format.
- From the Role list, select the necessary role to be assigned.
To reduce the number of user sessions opened for a long time, set the idle timeout to automatically log off users. To do this, select the Enable auto log off after <number> min of inactivity check box, and set the number of minutes.