[Feature Request] Granular permissions for Enterprise Manager

[JHarman]

I've recently started testing Enterprise Manager and although it has a Self Service restore feature, it is by default incredibly insecure in a clinical or confidential environment. I raised a case# 03452896 to see if I could get clarification and they suggested I post here to suggest some changes.

For starters, once set up ANY valid AD user can log in by default, this should really be denied by default, only allowing users with Roles assigned to log in, this at least should be a simple change.

Allowing a user access to self service restores currently allows the user access to mount and browse the entire filesystem on the VM(s) allowed, rather than just the files they own, so they can see filenames for files they shouldn't have access to, even if they can't access the actual data they can determine a file exists.
This really should be prevented, NTFS/ACL permissions should be respected, a simple implementation would be to hide all files they don't have access to (but that will still allow folder browsing so still not ideal), but ideally the mount should only show the folders/files they have access to and no other parts. Possibly also a Role that works based on file locations rather than whole VMs could be useful, while that will cause a small extra management overhead it would allow restores say on SMB shares only and not allow access to system files etc. Searches could also be limited to files they have access to only (filtering by file extension is insufficient security here).

A more robust permissions setup is clearly required here, for an "Enterprise Manager" it's currently only really suited for very small businesses where security is lax.

[Dima P.]

Hello Jonathan,

Thank you for your post!

For starters, once set up ANY valid AD user can log in by default, this should really be denied by default, only allowing users with Roles assigned to log in, this at least should be a simple change

When you are adding account to Enterprise Manager access list you must specify it's role: portal administrator, restore operator or portal user. You are the one to decide the access permissions (and the scope of allowed machines/restore types for the last two roles).

Allowing a user access to self service restores currently allows the user access to mount and browse the entire filesystem on the VM(s) allowed, rather than just the files they own, so they can see filenames for files they shouldn't have access to, even if they can't access the actual data they can determine a file exists.

In your environment multiple users without administrative accounts share the same VM between each other? What's the application or use case for such setup in your environment? Thank you in advance!

[JHarman]

Thanks for the response! I appreciate this may be unique to my situation.
Firstly my issue is that any user can log in, regardless of role, they should really be flat out denied access rather than being allowed in until a role has been assigned. (I've only assigned a role to our domain admins, but any user can login without a role even though it "appears" they can't do anything) Adding a Self Service role here could work so I can add only the "standard" users required.

As for your second query this is more about FLR rather than VM restores. File shares. Central servers with shared folders in for departments etc. Tiered access here would be invaluable. Admins could restore anything from any part of the VM, Power users/Service desk could restore files ONLY from the shared folder drives so they can't interfere with the main system in any way, then one day (as this one is probably a tough ask) end users can ONLY access and restore files they'd normally have access to.

I'm pretty sure the way Veeam works this would all be possible. But I would also understand if I'm in the minority here.

[Dima P.]

Hello Jonathan,

Thanks for sharing the details. I've been told (thanks QA team!) that there is a special registry key to disable self-service portal access for all users

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup Reporting\

SelfServiceRestorePortal 
dword  
value= 0

Give it a try and let us know if it works for you or not. Cheers!

[JHarman]

That's a massive change, thank you! It looks like it will only allow access to users with assigned roles which is a big part of what I needed.
Hopefully some updates down the road will allow file/share only access to some groups, but at least I don't have to give up on Enterprise Manager.