- 
				MichaelG7
- Influencer
- Posts: 16
- Liked: 1 time
- Joined: Jul 05, 2018 7:55 am
- Full Name: Michael
- Location: Germany
- Contact:
Feature request: Bare Metal Restore Permission
When performing a bare metal restore I had to use our privileged backup admin user to access the repository. This lead to the fact that all agent backups are available.
To have access to any backup file for BMR you will at least need a user with "Veeam Restore Operator" role. You cannot further specify if this user can only restore specific backups or backups from specific repositories... (I tried to limit access to the repositories, but the restore user will always see all agent backups.)
I ask you to implement a delegation for the restore scope in case of BMR.
We have local IT stuff which should be capable to restore only specific workstations. But they should not be able to access agent backups of servers or other privileged machines.
			
			
									
						
										
						To have access to any backup file for BMR you will at least need a user with "Veeam Restore Operator" role. You cannot further specify if this user can only restore specific backups or backups from specific repositories... (I tried to limit access to the repositories, but the restore user will always see all agent backups.)
I ask you to implement a delegation for the restore scope in case of BMR.
We have local IT stuff which should be capable to restore only specific workstations. But they should not be able to access agent backups of servers or other privileged machines.
- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Feature request: Bare Metal Restore Permission
Hello,
the request makes sense, but I don't see improvements in the near future. RBAC is a complex topic that requires many changes at many points.
In the meantime, I'm thinking about whether the following workarounds could help you: create one repository per agent (with powershell). Multi-tenancy is also possible with Cloud-Connect-Enterprise, but this might be "too much".
Best regards,
Hannes
			
			
									
						
										
						the request makes sense, but I don't see improvements in the near future. RBAC is a complex topic that requires many changes at many points.
In the meantime, I'm thinking about whether the following workarounds could help you: create one repository per agent (with powershell). Multi-tenancy is also possible with Cloud-Connect-Enterprise, but this might be "too much".
Best regards,
Hannes
- 
				MichaelG7
- Influencer
- Posts: 16
- Liked: 1 time
- Joined: Jul 05, 2018 7:55 am
- Full Name: Michael
- Location: Germany
- Contact:
Re: Feature request: Bare Metal Restore Permission
Hello, 
thank you for the workaround. Unfortunately I was not able to use the "repository access permissions" in a meaningful way. Even if the user is not allowed for a specific repository, he is still able to see all backups. How is this feature supposed to work?
Best regards,
Michael
			
			
									
						
										
						thank you for the workaround. Unfortunately I was not able to use the "repository access permissions" in a meaningful way. Even if the user is not allowed for a specific repository, he is still able to see all backups. How is this feature supposed to work?
Best regards,
Michael
- 
				PTide
- Product Manager
- Posts: 6595
- Liked: 805 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Feature request: Bare Metal Restore Permission
Hi,
First of all, do your agents operate in a standalone mode pointing to VBR repo, or they are managed by VBR (i.e. you've configured backup jobs on VBR side)
Thanks!
			
			
									
						
										
						First of all, do your agents operate in a standalone mode pointing to VBR repo, or they are managed by VBR (i.e. you've configured backup jobs on VBR side)
Thanks!
- 
				MichaelG7
- Influencer
- Posts: 16
- Liked: 1 time
- Joined: Jul 05, 2018 7:55 am
- Full Name: Michael
- Location: Germany
- Contact:
Re: Feature request: Bare Metal Restore Permission
Our Agents are managed by VBR.
We only have one standalone agent, which we have not been able to configure with VBR, but this is another topic.
			
			
									
						
										
						We only have one standalone agent, which we have not been able to configure with VBR, but this is another topic.
- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Feature request: Bare Metal Restore Permission
sorry, good point. I forgot that this only works for unmanaged agents (access permissions on the repository).I was not able to use the "repository access permissions" in a meaningful way
- 
				MichaelG7
- Influencer
- Posts: 16
- Liked: 1 time
- Joined: Jul 05, 2018 7:55 am
- Full Name: Michael
- Location: Germany
- Contact:
Re: Feature request: Bare Metal Restore Permission
So the only option would be to run a second instance of VBR to limit the access? (This option would be way to too much..)
I hope that you will be able to implement the feature or at least make the "access permissions on the repository" feature work in case of BMR.
Thank you,
Michael
			
			
									
						
										
						I hope that you will be able to implement the feature or at least make the "access permissions on the repository" feature work in case of BMR.
Thank you,
Michael
- 
				HannesK
- Product Manager
- Posts: 15598
- Liked: 3445 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Feature request: Bare Metal Restore Permission
or use unmanaged agents where each agent has it's own repository and only access to this one repository.
			
			
									
						
										
						Who is online
Users browsing this forum: Google [Bot] and 5 guests