Configuring Roles
To perform Veeam Backup & Replication operations, you can either assign the default roles to users or create custom roles depending on your needs.
The default roles are the following:
Role | Operations |
---|---|
Veeam Backup Administrator | Can perform all administrative activities in the Veeam Backup & Replication console. Note that Veeam Backup Administrator has full access to all files on servers and hosts added to the backup infrastructure. |
Veeam Security Administrator | Can perform the following operations:
|
Incident API Operator | Can perform Veeam Backup & Replication REST API requests to manage malware detection events. For more details, see the Malware Detection section in the Veeam Backup & Replication REST API Reference. Incident API Operators do not have access to the Veeam Backup & Replication console. Since they interact only with Veeam Backup & Replication REST API, make sure that multi-factor authentication is disabled for the user you add as Incident API Operator. For more details, see Disabling MFA for Service Accounts. |
Veeam Restore Operator | Can perform restore operations using existing backups and replicas. Consider the following:
|
Veeam Backup Operator | Can start and stop existing jobs, export backups, copy backups and create VeeamZip backups. |
Veeam Backup Viewer | Has the read-only access to the Veeam Backup & Replication console. Can view a list of existing jobs and review the job session details. |
Veeam Tape Operator | Can manage tapes and perform the following operations:
|
You can assign several roles to the same user. For example, if you want a user to start jobs and perform restore operations, you can assign both the Veeam Backup Operator and Veeam Restore Operator roles to this user.
You can create custom roles in Veeam Backup & Replication to assign tailored permissions and granular access scopes to users or groups. Custom roles help you enforce the principle of least privilege and align user access with your organization’s operational policies.
To configure a custom role, use the Add New Role wizard and complete the following steps:
- Launch the Add New Role wizard
- Specify the role name and description
- Define the inventory scope
- Define the repository scope
- Configure the restore permissions
- Define the restore target scope
- Finish working with the wizard
Roles Limitations
General
- Custom roles are only available in the Windows-based backup console. They are not supported in the Web UI, PowerShell, or REST API.
- Assigning both custom and built-in roles to the same user or group is not supported.
- Empty nodes may be displayed if their objects are inaccessible to a custom role.
- If an administrator moves or copies a backup, the backup ACL will be reset, which may result in custom roles losing access to the backup.
Backup
- If a user does not have permission to view certain credentials, those credentials do not appear in the backup wizard when editing a job. However, the credentials remain configured in the job.
- If a custom backup operator is not restricted to a specific repository, backups can be created in Snapshot Repositories.
Recovery
- Quick Migration is only available to users with administrator privileges.
- The Encrypted backups node is not available to restore operators.
- Backup copy jobs are not visible in the backup scope selection for roles.
- Backups imported as VBK are not visible in the backup scope selection in the role wizard.
- A role with restrictions on the restore target cannot select a different location for the Copy to option in Linux file-level restore.
- The software appliance backup server remains available for use even if only the Original location option is selected.
VMware vSphere
- In the Tag view, all vCenters are always visible but cannot be added or expanded. VMware tags can only be used if they have been explicitly added to a role.
- vApps may be visible but cannot be used.
- VMware objects associated with those added to a role may be visible but cannot be used.
- Unavailable original hosts may remain visible in certain restore wizards.
Unstructured Data Backup
- Role-based access control does not support instant file share recovery.
- If the original location is included in the target restore scope, the Copy to option in specific file and folder restore is unavailable.
- The Copy to option may be used to restore to more locations than those defined in the target restore scope.