Why isn't "Backup Operator" role used ("day 2" question)

[dejan.ilic]

Why does Veeam Agent require permanent local administrator permission to work?
While I do understand why it would be required for initial installation of the software, possibly also for updates.
I could live with it requiring administrator role for certain recovery operations..

But the rest of 99,9999...% of the time if just takes backup of files/blocks.
So why isn't it possible to rely on backup operator the rest of the time, instead of having a password with administrative permission on backup server.

[Nils]

Veeam Agent uses volume shadow copies and requires full access to the disk(s). After all, even files with priviledged access are backed up.

[dejan.ilic]

Yes, but the backup operator is able to access these files as a part of the role features:
"Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files."
https://docs.microsoft.com/en-us/window ... poperators

The VSS handling could be done thru a minimal Veeam VSS handling service and nothing else (for security reasons), or possible if the the software (MSSQL) does that when asked to go into backup mode.
I think that Veeam Agent for Linux does that separation into two parts, one daemon with priviledges and other part with less permissions.
If restore requires administrative rights it could ask for the user/password without saving credentials with the higher permissions thus not leaving a possible stash usefull for malware.

[Dima P.]

Hello Dejan,

When you install Veeam Agent for Windows as a standalone produce (i.e. not managed by Veeam B&R console) it runs under local system account. For Veeam B&R perspective admin access is required to access the machine, install the agent, upgrade all the needed components it, run required services. Thanks!