Comprehensive data protection for all workloads
cdesch
Veeam ProPartner
Posts: 20
Liked: 7 times
Joined: Jul 06, 2016 11:25 am
Full Name: Christian Desch
Contact:

Feature request: Role based access in Veeam Console

Post by cdesch »

Hi all,

is it planned, like in Enterprise Manager, to get granular role based access permission within the Veeam Console ?

In our environment, we have many restore users, they need more features, then EM has, so it is necessary and a very big wish:
- make the EM more useable

or

- integrate RBAC into the Veeam Console

Thx, for some comments,
Chris
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Mike Resseler »

Hi Christian,

We already have (some) RBAC in the Veeam Console. See here: https://helpcenter.veeam.com/docs/backu ... tml?ver=95

Can you let us know what exactly you are seeking and what we are missing in both EM and the Console?

Many thanks
Mike
cdesch
Veeam ProPartner
Posts: 20
Liked: 7 times
Joined: Jul 06, 2016 11:25 am
Full Name: Christian Desch
Contact:

Re: Feature request: Role based access in Veeam Console

Post by cdesch »

Hi Mike,

yes sure.

It would be nice if:
- we have i.e. various MS exchange jobs -> so the resulting backups should be only viewable/restoreable for the Exchange Admin user group from AD
-> RBAC could be based on Job level, or vCenter VM Folder Level, or if dedicated repositories are used

- like in EM, user groups with role permission restore -> could be assingd to vCenter VM folder level, an the permission allows only to recover files with special extension -> this we are missing too in Veeam Console

- since we still could not choose in the EM WebUI the "restore proxy" (very necessary with many branch offices, where onsite proxy / local repos exists) , in all this cases we have to allow thees branch office restore users, to the veeam console, but then the see ALL backups , that should not be allowed, but we cannot restrict them with v9.5

I could give you much more examples if you like, but the fact is, RBAC is nice in EM Web UI, but only for restore, not for backup -> there ist no Backup Scope in EM for RBAC, but the feature set is very limited within EM -> so we have to give the restore users permission within the Veeam Console -> but then, even they get bestore or backup permission, they see all backup data, which is not okay, in our distributed environment.

We cannot build for each department an seperate Veeam B&R Server, only because RBAC is not working.

Thx for further comments,
Chris
edirschedl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jul 21, 2016 12:29 pm
Full Name: Emanuel Dirschedl
Contact:

Re: Feature request: Role based access in Veeam Console

Post by edirschedl »

Hello,

any news / information / advice regarding this topic? The same granularity Christian described for the VEEAM B&R console as in the EM, would be very helpful and it's needed for enterprise customers, which have a big in-house IT, with a lot of application admins, responsible people for subsidiaries etc.

Thank you!
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Mike Resseler »

Hi Edirschedl,

No news for the moment to be honest. This would be a feature request and all votes for it are counted. However, I did just notice I didn't reply on Chris his last remark. It is not the idea (with the Veeam Console) to install separate Veeam B&R servers, only the console (so the UI). Is that a possibility? Maybe on a administration consoles server or similar?
edirschedl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jul 21, 2016 12:29 pm
Full Name: Emanuel Dirschedl
Contact:

Re: Feature request: Role based access in Veeam Console

Post by edirschedl »

Hi Mike,

I don't understand your idea completely. What's the difference if I install the VEEAM console on a specific administration console server? Yes of course, only the guys who have access to the console server can open the VEEAM GUI, but within VEEAM they have full restore permission for all vms (and not only for single vms, folders or jobs), if I add them to the restore operator role.

Regards,
Emanuel
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Mike Resseler »

Hi,

Understood. I made the mistake to reply only on the question of installing VBR (fully) on different servers which of course is not the idea. Your use case makes a lot of sense but I can't promise anything at this point in time. The request is noted and counted ;-)

One last question if you don't mind. I noticed that in your first post you requested to make EM more usable (you already pointed out a few items you would like to see) but I would appreciate it if you could give us more examples of must-haves in that console.

Thanks
Mike
edirschedl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jul 21, 2016 12:29 pm
Full Name: Emanuel Dirschedl
Contact:

Re: Feature request: Role based access in Veeam Console

Post by edirschedl »

Hey Mike,

- Full-VM-Restore - no overwrite of original vm (same as "Restore to a new location")
- Instant-VM-Recovery possibility
- Linux FLR helper appliance settings (change location of Linux Helper Appliance in EM)
- Exchange Application Items Restore on VMs instead of AD mailboxes - the same as in B&R console, please
- SQL Application items restore with single objects restore possibility (single tables etc.)
- Windows / Linux FLR: Copy to feature
- Windows / Linux FLR: visible restore points from Backup copy job (currently only restore points from backup jobs selectable)
Skill_user106
Lurker
Posts: 1
Liked: 1 time
Joined: May 17, 2017 9:41 am
Full Name: Jai
Contact:

[MERGED] Console for accessing backup for individual site

Post by Skill_user106 » 1 person likes this post

Hi

I work for a internal IT team , we currently have Veeam backup running but this is managed by an IT provider, the setup is they have Veeam running in their data centre, they also have many other clients/sites in this veaam backup in their data center, currently whenever we want anything restored we have to contact them as they cannot give us access to their console as it hosts other clients.

Is there any way a console or some sort of login can be provided or created so it would just show our companys's backup giving us the ability to restore backups from our end without having to contact us

Thanks
romeop
Lurker
Posts: 1
Liked: never
Joined: Sep 06, 2017 9:06 am
Full Name: Romeo Pavel
Contact:

Re: Feature request: Role based access in Veeam Console

Post by romeop »

Hi everybody,

I want to cast my vote as well for this feature. Granular Role Based Access in the Veeam Backup&Restore.
Having some Restore Operators for a specific Subsidiary be able to open all backup jobs and even read exchange e-mails from the Headquarter backups is totally unacceptable.

As a side question: could the "Agent Permissions" on a Backup Repository function be extended so it will also restrict Recovery based on those Permissions ? At least we can than restrict access based on Backup Repositories, which should be sufficient.
I was expecting that those permissions affect recovery actions as well, as the Documentation states, but I was disappointed to find that it has no effect whatsoever.

Thanks !
FTBZ
Influencer
Posts: 22
Liked: 2 times
Joined: May 05, 2016 11:51 am
Contact:

Re: Feature request: Role based access in Veeam Console

Post by FTBZ »

I noticed that Veeam 10 has a new "Role based access", some information about?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Gostev »

It is very similar to Self-Service Backup Portal for vCloud Director, just for vSphere (delegation is based on the existing vSphere permissions, roles or VM tags).
masonit
Service Provider
Posts: 325
Liked: 23 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Maso
Contact:

[MERGED] Feature request: Limit access to specific jobs

Post by masonit »

Hi

Would like to be able to create logins through for eaxmple EM or VAC that only has access to specific jobs (Backup, Replica, Surebackup ...) in VBR. Then for example technician are only able to start backup or Surebackup of specific jobs.

\Masonit
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Feature request: Limit access to specific jobs

Post by DGrinev »

Hi Masonit,

Thank you for the feature request!
Your vote has been counted.
oscaru
Service Provider
Posts: 27
Liked: 11 times
Joined: Jul 26, 2016 6:49 pm
Full Name: Oscar Suarez
Contact:

Re: Feature request: Role based access in Veeam Console

Post by oscaru »

Hi,

Vote for this feature request.

As a service provider, we have some VBR servers shared by multiple tenants. We would like to give them access trough VAC to only their specific jobs, so we need more granularity in VAC to give subtenants access to specific jobs and VMs
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Vitaliy S. »

Oscar, how do you organize these jobs (define what belongs to who)?
oscaru
Service Provider
Posts: 27
Liked: 11 times
Joined: Jul 26, 2016 6:49 pm
Full Name: Oscar Suarez
Contact:

Re: Feature request: Role based access in Veeam Console

Post by oscaru »

Hi Vitaly,

We create a job for each tenant, protecting their own VMs.
So, we have a "shared" VBR server, protecting like 40 VMs., for 6 tenants.
We would like to give tenants access with Veeam Availability Console to stats to only their specific job, protecting their VMs. In this way, tenants can not check other jobs' status or even other VMs names.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Vitaliy S. » 1 person likes this post

Oscar,

Ok, got it! Cannot guarantee that a hosted scenario will be supported in VAC in the short-term future, but you can try using Veeam ONE with its predefined reports to at least give some visibility of data protection to your customers. All reports in Veeam ONE can be scoped to a particular VM/job like you have it set up today.

Thanks!
skrause
Veteran
Posts: 487
Liked: 105 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Feature request: Role based access in Veeam Console

Post by skrause »

Funny I missed this originally.

I would +1 any efforts to add more granular RBAC. In any setup, please make it more like VAO (where you have to allow access to login at all) than EM (where all AD accounts can log in but then what is visible is limited by RBAC).
Steve Krause
Veeam Certified Architect
SvenP
Influencer
Posts: 13
Liked: never
Joined: Mar 31, 2016 12:53 pm
Full Name: Sven Putze
Contact:

Re: Feature request: Role based access in Veeam Console

Post by SvenP »

Did not find this feature in V10, so here we go. Since we have a very heterogeneous environment with a myriad of operating systems, and domains (with no trust bewteen them), I'd like to request this feature, too.

It is easy to backup all this with a single Veeam Backup and Recovery server. The Enterprise Manager is simply not working in this case, we would need to set up a ton of them, which results in a ton of Veeam Backup and Recovery servers, each with a different scope up to the point that is not manageable anymore.

And while you're at it: Please include authentication via LDAP. So the backup server must not be member of a domain, but could use the LDAP of an Active Directory for authentication. Beeing able to delegate the VBR console is mission critical and without it it's a nice backup solution but -- from our perspective -- not enterprise ready.
haarloser
Novice
Posts: 4
Liked: 1 time
Joined: Jun 26, 2020 5:50 am
Full Name: Jan H.
Contact:

Re: Feature request: Role based access in Veeam Console

Post by haarloser » 1 person likes this post

Hi,

RBAC for veeam b&r console ? My vote too!

I am working for an service provider. We have different customers with special contructs. Parts of their infrastucture is hosted in one of our datacenters and we have backup management for it and other parts are in branch offices where customers admins are backup operators.
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Feature request: Role based access in Veeam Console

Post by veremin »

Just to clarify - you're aware of vSphere Self-Service Backup Portal and it's not something that answers your requirements? Thanks!
tejko30
Novice
Posts: 6
Liked: 1 time
Joined: Feb 18, 2019 9:52 am
Full Name: Matej
Contact:

[MERGED] Feature Request: Insight into Job configuration using Viewer Role

Post by tejko30 »

Hello,

One of our clients would like "Veeam Backup Viewer" role to have insight into Veeam Jobs configuration as well. At this time, it's not possible for users with "Veeam Backup Viewer" to review (not edit) Job Configuration.

If "Veeam Backup Viewer" is meant for monitoring Sessions only, it might work with additional Role like "Veeam Backup Read Only Users" or similar. Or, if there would be an option to set up more granular permissions like some other Feature Requests are asking.

Thanks!
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request: Role based access in Veeam Console

Post by HannesK »

Hello,
I merged your request with one of the existing RBAC requests. Please take your request as counted +1

Best regards,
Hannes
oleg.feoktistov
Veeam Software
Posts: 1912
Liked: 635 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: Feature request: Role based access in Veeam Console

Post by oleg.feoktistov »

Hi @tejko30,
If "Veeam Backup Viewer" is meant for monitoring Sessions only, it might work with additional Role like "Veeam Backup Read Only Users" or similar
I think it might add on confusion. Like, we implement some granularity but only here and the difference is tiny.
Could be better to have separate security claims for every action and then construct a custom role based on them.

Thanks,
Oleg
edison5000
Expert
Posts: 120
Liked: 7 times
Joined: Apr 08, 2022 4:08 pm
Full Name: e
Contact:

[MERGED]granular separation of Admin powers by dept (or alternatively, 'super user')

Post by edison5000 »

Our business is about to purchase Veeam (*on-prem only*). It looks like it can serve our backup volume and restore needs for end users just fine. However, we have been told that "there is no way to use a centralized single B&R server or the Enterprise Manager to divide up complete administrative powers by department. Eg, such that only admins in Dept A can do B&R admin things in Dept A, only admins in Dept B can admin B&R things in Dept B - and not see or control the machines being backed up in the other depts. The only way to do something like this would be to have individual B&R servers in each dept. You could opt to have a single central storage location though, with separate repositories, and then none of them would see each other."

I do not think Enterprise Manager would allow this with a single B&R server either, based on my limited time with the demo so far, but perhaps I am mistaken. Enterprise Manager Plus I think adds some more functionality to EM console, but not what we need re: depts. Veeam One is just more reporting.

So yes, we could set up multiple B&R servers per the suggestion we received.

If we do not do the aforementioned, though, it looks like per the difference in powers between Backup Administrators and all the lower-tiered roles, only Backup Administrators can add/remove/organize/push clients/adjust or force backup policies. In that case, we'd really need another tiered user role, somewhere between Backup Admin and Backup Operator, so that whatever that role a B&R user would have, they can add/remove/organize/push clients, but! - not adjust anything else on the server, like service creds, overall organization & policy.

Googling around further, it almost seems like what we want is a (currently non-existent) on-prem version of Service Provider Console.

I am not suggesting posting here will magically make our scenario possible, but perhaps there is a Veeam topology that somebody missed during our inquiries.

Suggestions?

thanks Veeamers! : )
Mildur
Product Manager
Posts: 8549
Liked: 2223 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Mildur »

Hi Edison

Thanks for the request and explaining your situation. I moved your request to this RBAC Request for the VBR Console and we count it +1
Product Management Analyst @ Veeam Software
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [MERGED]granular separation of Admin powers by dept (or alternatively, 'super user')

Post by Gostev » 2 people like this post

edison5000 wrote: Apr 08, 2022 5:14 pmGoogling around further, it almost seems like what we want is a (currently non-existent) on-prem version of Service Provider Console.
But it exists! Any enterprise customer can get the Veeam Service Provider Console (VSPC) at no extra cost. We do have a significant number of enterprise customers using VSPC since its inception. To be clear, VSPC *is* an on-prem software, as opposed to a cloud service.
edison5000
Expert
Posts: 120
Liked: 7 times
Joined: Apr 08, 2022 4:08 pm
Full Name: e
Contact:

Re: Feature request: Role based access in Veeam Console

Post by edison5000 »

Thanks Gostev. So, you are saying then, that there is RBAC in the Service Provider Console, that would let us configure RBAC so we could divide up administrative powers by department / ou (or I don't know what they're called... backup groups?) Or per this thread - not yet? And, am I also assuming that you cannot do what I am suggesting, presently, from the service console OR BEM (Plus)?

Either way, if Provider Console is for on-prem, I'm not sure why we were told that "all on-prem Veeam product option should be available for you to test in the demo download of VAS". It's not in there, only B&R, BEM, & Veeam One. (no BEM Plus, and no Console). Also if it's on prem, why is it called "Service Provider"? : )

That being said - is there somewhere to download the Console? It just integrates with B&R? Does it need to be run on its own server? Sorry for all the questions, I have not seen link to info about 'on prem' console, only 'Service Provider', implying cloud.

Also, fyi: we only need to back up user endpoints. No servers, vm's, or hypervisor stuff at all.

If you have a useful link for this, info or download that would be great.

I see this, so far

https://helpcenter.veeam.com/docs/vac/d ... tml?ver=60

"Veeam Service Provider Console is a cloud-enabled platform for centralized management and monitoring of data protection operations and services."

https://helpcenter.veeam.com/docs/vac/p ... tml?ver=60


Thanks again for the info!
Gostev
Chief Product Officer
Posts: 31457
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Feature request: Role based access in Veeam Console

Post by Gostev »

Well, there's just too much to uncover for a forum post if you're starting literally from zero with VSPC :) the proper way at this point would be for you to reach out to your Veeam sales rep and ask for its live demo by a pre-sales engineers, who will also be able to answer all your questions above. Thanks!
Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 165 guests