Comprehensive data protection for all workloads
Post Reply
S_Matasic
Service Provider
Posts: 23
Liked: 12 times
Joined: Feb 15, 2016 1:41 pm
Full Name: Steve Matasic
Contact:

[Feature Update] More Diverse Roles in VBR & EM

Post by S_Matasic » 1 person likes this post

We are a SP and have our support staff logging into the VBR Console as well as our hosted EM portal to manage tenant jobs. For the most part our tenants are self-service, but in some instances our support staff needs to edit jobs for our tenants. A lot of the times it is just to set some options that are more advanced than what is in the EM portal.
However, the only options of roles in VBR are:
Veeam Restore Operator: Can only perform restores.
Veeam Backup Operator: Can only start, stop, or retry jobs.
Veeam Backup Administrator: Full console admin
Veeam Tape Operator: Doesn't really apply to our environment
Veeam Backup Viewer: Read only for backup jobs.

We can't limit our support staff to Backup and Restore Operators because they then don't have the ability to edit backup jobs. We also cannot give them the Backup Administrator because they then would have full admin control over the system.

Enterprise Manager:
Portal Administrator: Full portal admin
Portal User: Doesn't have the ability to edit jobs
Restore Operator: Restores only

We can't limit our support staff to only having the Portal Administrator role, as that would provide too much access and allow for mistakes that could make the system unavailable. However, we also cannot provide them with Portal User and Restore Operator as it doesn't allow editing of tenant jobs in the EM portal.

We need there to be a "Backup Job Administrator" that would provide our support staff with access to all the backup jobs on the platform, while restricting them from global settings in the VBR Console and EM Portal.
As a work around we are going to have to provide some users with extra permissions and instruct them not to mess with the administrative settings in the systems. Which isn't ideal as we would like to try and keep the least level of permissions while still allowing them to do their jobs without impacting our tenants experiences.

This could apply to the enterprise as well, in the way of a tiered Help Desk, with different members having different access levels.
rbienvault
Influencer
Posts: 19
Liked: 9 times
Joined: Jun 09, 2020 9:17 am
Full Name: Romain
Contact:

Re: [Feature Update] More Diverse Roles in VBR & EM

Post by rbienvault »

Hello,
I will add something,
It will be great to have a way to do customize the role that we need on the platform.
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [Feature Update] More Diverse Roles in VBR & EM

Post by Gostev »

@S_Matasic I think you should be able to achieve this already using our vSphere Self-Service Backup & Restore portal, by giving support staff a portal quota that has access to the entire vSphere environment.
S_Matasic
Service Provider
Posts: 23
Liked: 12 times
Joined: Feb 15, 2016 1:41 pm
Full Name: Steve Matasic
Contact:

Re: [Feature Update] More Diverse Roles in VBR & EM

Post by S_Matasic »

@Gostev we utilize the portal for vCloud Director Self-Service for tenants to backup their items, not via vSphere Self-Service. Our support staff is logging in via the Enterprise Manager with SAML for added security. Given that in order for them to be able to edit backup jobs, they'd also be able to edit the SAML config, it really isn't that secure I guess. As rbienvault stated, would also be nice to be able to fine-tune the roles to provide different levels of support more granular access to the systems.

Our tenants have the appropriate amount of access via their individual portals. Our support staff does not, as we like to limit their connectivity into the VBR Console so they use the system in a similar fashion as our tenants do, so they can provide a better support experience.
In any case, needed full admin permissions within the VBR Console and the Self-Service Console isn't the most secure to the product as they have admin level access to global settings that could take the system down if changed.
Post Reply

Who is online

Users browsing this forum: rjv1971, Semrush [Bot] and 161 guests