Veeam Agent Restore Permissions

[akrietsch]

I have been testing with the new release of VAW. With the servers I am testing, they are all currently backing up to a VBR repository.

It appears that local administrators on the servers that are being backed up have the capability to start backups and restores. Is there a way to control who has the ability to kick off backups and restores? I care less about the ability they have to start a backup, but we tightly control who has the ability to restore something, and we don't want a user to be able to restore something (just because they are a local admin on that server) without going through the proper channels first.

More alarmingly, it looks those same users have the ability to choose to restore something from any other server being backed up by VAW and stored on our VBR repository. For example, a local admin on APPSERVER1 could choose to restore a file, and then in the File Restore Wizard they can click on the "Backup" tab and see and choose from the other VAW servers, including DC1, a domain controller we are backing up that the user otherwise has no access to. That user can then restore files from the DC1 backup using APPSERVER1.

Are there any controls that we have so that users are not able to do any of this unless they are a Veeam administrator?

[DGrinev]

Hi Alex,

You should set agents permissions for the backup repository through Veeam B&R Console by adding computer name. This way, the local admin of the server will see only the backup related to his machine.
Please review this article about Setting up User Permissions on Backup Repositories. Thanks!

[skochetkov]

Hello Alex,

Backup configuration and restore processes require administrative privileges. Backup start doesn't. What about ability being able to restore anything from the said VB&R server: did you separate your backups by using agent permission option?
https://helpcenter.veeam.com/docs/agent ... tml?ver=20

[akrietsch]

Ok, originally I had a Veeam service account as the only listed account under Agent permissions for my repository. This is an account that is a local admin on my Veeam servers and is also the account that I specified in the VAW job to connect to the repository.

Is there anything special I need to do when changing the agent permissions? I have tried everything from specifying the Computer account, to denying to everyone, and the restore capability from the servers that I described before is exactly the same. No changes.

[DGrinev]

Hi Alex,

Agents can see all backup files in the repository as they were created by using the same account.
Follow this step by step guideline to achieve what you are after (this can be done only in domain environment):
1. Add a particular server by domain\computer name to the repository permissions.
2. Open Veeam Agent on the server and clear checkbox with personal credentials in Configure backup menu.
3. Initiate new backup run.
4. When it will be completed check that the local admin of the server can see only latest backup.
5. Repeat for each server or user account.

Also, you can use domain user accounts for the repository permissions instead of computer accounts. Thanks!

[akrietsch]

Thanks. That process of adding the computer accounts and removing the service account from the job gave me the desired result.

[MichaelG7]

During a file level restore only the files for the specific workstation are available.
But when performing a bare metal restore i had to use our privileged backup admin user to access the repository. This lead to the fact that all agent backups are available.
Is there any way to restrict the visibility of the other backups in case of bare metal recovery?