Configuring Roles

To perform Veeam Backup & Replication operations, you can either assign the default roles to users or create custom roles depending on your needs.

Default Roles

The default roles are the following:

Role

Operations

Veeam Backup Administrator

Can perform all administrative activities in the Veeam Backup & Replication console. Note that Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure.

Veeam Security Administrator

Can perform the following operations:

  • Add, edit and delete all types of credential records supported by Veeam Backup & Replication. For more details, see Managing Credentials.
  • Manage Security & Compliance Analyzer: run security checks, configure scan scheduling, exclude parameters from the checklist. For more details, see Security & Compliance Analyzer.
  • Approve four-eyes authorization requests. For more details, see Four-Eyes Authorization.

Incident API Operator

Can perform Veeam Backup & Replication REST API requests to manage malware detection events. For more details, see the Malware Detection section in the Veeam Backup & Replication REST API Reference.

Incident API Operators do not have access to the Veeam Backup & Replication console. Since they interact only with Veeam Backup & Replication REST API, make sure that multi-factor authentication is disabled for the user you add as Incident API Operator. For more details, see Disabling MFA for Service Accounts.

Veeam Restore Operator

Can perform restore operations using existing backups and replicas.

Consider the following:

  • Veeam Restore Operator can restore data from any backups. This allows them to restore disks and files with specially crafted malicious content. To reduce the risk of privilege escalation attacks and the entire system takeovers, assign this role with caution.
  • Veeam Restore Operator can overwrite existing VM, disk and file instances during VM, disk and file-level restore operations.
  • Veeam Restore Operator cannot migrate a recovered VM to the production environment during Instant Recovery.

Veeam Backup Operator

Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups.

Veeam Backup Viewer

Has the read-only access to the Veeam Backup & Replication console. Can view a list of existing jobs and review the job session details.

Veeam Tape Operator

Can manage tapes and perform the following operations:

  • Rescan tape libraries and tape servers.
  • Run tape backup jobs, tape catalog jobs, tape inventory jobs, tape verification jobs.
  • Eject tapes.
  • Import and export tapes.
  • Mark tapes as free.
  • Move tapes to a media pool.
  • Erase tapes.
  • Set a tape password.
  • Copy tapes.

You can assign several roles to the same user. For example, if you want a user to start jobs and perform restore operations, you can assign both the Veeam Backup Operator and Veeam Restore Operator roles to this user.

Custom Roles

You can create custom roles in Veeam Backup & Replication to assign tailored permissions and granular access scopes to users or groups. Custom roles help you enforce the principle of least privilege and align user access with your organization’s operational policies.

To configure a custom role, use the Add New Role wizard and complete the following steps:

  1. Launch the Add New Role wizard
  2. Specify the role name and description
  3. Define the inventory scope
  4. Define the repository scope
  5. Configure the restore permissions
  6. Define the restore target scope
  7. Finish working with the wizard

Page updated 8/7/2025

Page content applies to build 13.0.0.4967