vMWare infrastructure
Veeam B&R (9.5 U3) on physical server with local repository
IBM TS3200 tape library and daily export /import
Challenge
In the company we have :
Backup admins whom task is to configure and monitor backup jobs and infrastructure.
Other members are tasked to only checkout the tapes form the library to an external vault and check in the expired tapes back to the library. These members are non admins in any of the servers/workstations, and we need them to be able to manage the tapes export / import.
Problem
As per Veeam docs, only members of the local admins group can launch local/remote Veeam console
View only members on the Veeam console can’t export/import tapes
Using PowerShell exposes Veeam admin password in the script
The only workaround we found is to set the tape job to export the tapes upon finish and to run an import powerShell script on a timely basis using Windows scheduled tasks, but some days, there is more tapes to export/import than the 3 library I/O slots. Questions
Why do local admin privileges are needed to open the Veeam Console?
How do you delegate tape import/ export to non admins?
Tijani wrote:How do you delegate tape import/ export to non admins?
You can test backup operator role for your tape users. We've included these tape operations to the backup operator role. Let me know if that works for your case. Thank you.
Not really. The backup operator role is oversized since I don't want the tape management operator to be able to start backup jobs, that could affect data protection period. The tape operator role discussed in the topic you mentioned looks promising if implemented separately from the backup role.
The local admin privileges are also an overkill. the operator only needs to 'see' media pools and vaults inventory and perform import:export.
I guess I need to code something that relies on PowerShell to do the job while obfuscating the Backup Administrator password.