Veeam - Deletion Account - Permissions

[rbbch]

Hello All,

Hope everyone is well.

Hoping to try and get somewhere with this OR see how others have got it configured. Data loss is a real concern for me. Veeam permissions are pretty poor as it seems you can only really give all or nothing, it's not granular at all like vSphere. If multiple people, all have access to Veeam, then there is a risk that they can delete backups. Immutability is something we would use, but because it requires forward incremental, it will require us doing a synthetic full and effectively doubling our backup storage requirements. We have a massive number of backups so this wouldn't be suitable. We currently use FFI.

My thoughts were to create some sort of deletion accounts (global admin type accounts) which are only used when deletions need to be done and would require justification through a third-party system. How has everyone else got round this issue?

Kind Regards

[HannesK]

Hello,

it will require us doing a synthetic full and effectively doubling our backup storage requirements

we recommend since many years to use XFS / REFS, where synthetic fulls are spaceless. The same applies for object storage with immutability / object lock.

If multiple people, all have access to Veeam, then there is a risk that they can delete backups

Which permissions do these people need? For example a "restore operator" does not have the permission to delete backups. In Enterprise Manager, one can also configure restore permissions per-machine.

Best regards,
Hannes

[rbbch]

Hello Hannes,

Thanks for that. We use XFS but I configured synthetic fulls and it did show as an extra backup within backup properties. Is this normal?

Kind Regards
Ben

[HannesK]

Hello,
yes, the GUI does not know about the space savings.

If you do compare "du" vs. "df", you can see the space savings directly on the Linux box

Best regards,
Hannes

[rbbch]

Fantastic, thank you!

Would we need to configure fast cloning first though?

[HannesK]

Hello,
yes, there is a checkbox: "use fast cloning on XFS"

Best regards,
Hannes

[rbbch]

Thanks. Just on the permissions.

We want to be able to edit jobs, start stop them and restore. But not delete. I don't think there is a permission for this?

[HannesK]

no. just curious... what would be the benefit? I mean, I could just remove everything from a job instead of deleting the job itself and and the result would be the same

[rbbch]

Sorry I mean unable to delete job and data inside of job.

[HannesK]

data is always outside the job, in the backups section

sounds like the "backup operator" role is pretty close. Allowing to "edit" a backup job would be almost allowing to "delete data" (if no immutability is used). Somebody could just set the retention window to 1 day. That deletes everything older 1 day. Then he enables encryption and waits for one day.

I think "backup operator" and "Hardened Repository" is what meets all your needs.