Comprehensive data protection for all workloads
Post Reply
rbbch
Influencer
Posts: 18
Liked: never
Joined: Mar 16, 2022 12:44 pm
Full Name: Ben Curtis-Haigh
Contact:

Veeam - Deletion Account - Permissions

Post by rbbch »

Hello All,

Hope everyone is well.

Hoping to try and get somewhere with this OR see how others have got it configured. Data loss is a real concern for me. Veeam permissions are pretty poor as it seems you can only really give all or nothing, it's not granular at all like vSphere. If multiple people, all have access to Veeam, then there is a risk that they can delete backups. Immutability is something we would use, but because it requires forward incremental, it will require us doing a synthetic full and effectively doubling our backup storage requirements. We have a massive number of backups so this wouldn't be suitable. We currently use FFI.

My thoughts were to create some sort of deletion accounts (global admin type accounts) which are only used when deletions need to be done and would require justification through a third-party system. How has everyone else got round this issue?

Kind Regards
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam - Deletion Account - Permissions

Post by HannesK » 1 person likes this post

Hello,
it will require us doing a synthetic full and effectively doubling our backup storage requirements
we recommend since many years to use XFS / REFS, where synthetic fulls are spaceless. The same applies for object storage with immutability / object lock.
If multiple people, all have access to Veeam, then there is a risk that they can delete backups
Which permissions do these people need? For example a "restore operator" does not have the permission to delete backups. In Enterprise Manager, one can also configure restore permissions per-machine.

Best regards,
Hannes
rbbch
Influencer
Posts: 18
Liked: never
Joined: Mar 16, 2022 12:44 pm
Full Name: Ben Curtis-Haigh
Contact:

Re: Veeam - Deletion Account - Permissions

Post by rbbch »

Hello Hannes,

Thanks for that. We use XFS but I configured synthetic fulls and it did show as an extra backup within backup properties. Is this normal?

Kind Regards
Ben
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam - Deletion Account - Permissions

Post by HannesK » 1 person likes this post

Hello,
yes, the GUI does not know about the space savings.

If you do compare "du" vs. "df", you can see the space savings directly on the Linux box

Best regards,
Hannes
rbbch
Influencer
Posts: 18
Liked: never
Joined: Mar 16, 2022 12:44 pm
Full Name: Ben Curtis-Haigh
Contact:

Re: Veeam - Deletion Account - Permissions

Post by rbbch »

Fantastic, thank you!

Would we need to configure fast cloning first though?
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam - Deletion Account - Permissions

Post by HannesK » 1 person likes this post

Hello,
yes, there is a checkbox: "use fast cloning on XFS"

Best regards,
Hannes
rbbch
Influencer
Posts: 18
Liked: never
Joined: Mar 16, 2022 12:44 pm
Full Name: Ben Curtis-Haigh
Contact:

Re: Veeam - Deletion Account - Permissions

Post by rbbch »

Thanks. Just on the permissions.

We want to be able to edit jobs, start stop them and restore. But not delete. I don't think there is a permission for this?
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam - Deletion Account - Permissions

Post by HannesK »

no. just curious... what would be the benefit? I mean, I could just remove everything from a job instead of deleting the job itself and and the result would be the same :-)
rbbch
Influencer
Posts: 18
Liked: never
Joined: Mar 16, 2022 12:44 pm
Full Name: Ben Curtis-Haigh
Contact:

Re: Veeam - Deletion Account - Permissions

Post by rbbch »

Sorry I mean unable to delete job and data inside of job.
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Veeam - Deletion Account - Permissions

Post by HannesK » 1 person likes this post

data is always outside the job, in the backups section :-)

sounds like the "backup operator" role is pretty close. Allowing to "edit" a backup job would be almost allowing to "delete data" (if no immutability is used). Somebody could just set the retention window to 1 day. That deletes everything older 1 day. Then he enables encryption and waits for one day.

I think "backup operator" and "Hardened Repository" is what meets all your needs.
Post Reply

Who is online

Users browsing this forum: Bing [Bot], mdippold and 73 guests