-
- Influencer
- Posts: 18
- Liked: never
- Joined: Mar 16, 2022 12:44 pm
- Full Name: Ben Curtis-Haigh
- Contact:
Veeam - Deletion Account - Permissions
Hello All,
Hope everyone is well.
Hoping to try and get somewhere with this OR see how others have got it configured. Data loss is a real concern for me. Veeam permissions are pretty poor as it seems you can only really give all or nothing, it's not granular at all like vSphere. If multiple people, all have access to Veeam, then there is a risk that they can delete backups. Immutability is something we would use, but because it requires forward incremental, it will require us doing a synthetic full and effectively doubling our backup storage requirements. We have a massive number of backups so this wouldn't be suitable. We currently use FFI.
My thoughts were to create some sort of deletion accounts (global admin type accounts) which are only used when deletions need to be done and would require justification through a third-party system. How has everyone else got round this issue?
Kind Regards
Hope everyone is well.
Hoping to try and get somewhere with this OR see how others have got it configured. Data loss is a real concern for me. Veeam permissions are pretty poor as it seems you can only really give all or nothing, it's not granular at all like vSphere. If multiple people, all have access to Veeam, then there is a risk that they can delete backups. Immutability is something we would use, but because it requires forward incremental, it will require us doing a synthetic full and effectively doubling our backup storage requirements. We have a massive number of backups so this wouldn't be suitable. We currently use FFI.
My thoughts were to create some sort of deletion accounts (global admin type accounts) which are only used when deletions need to be done and would require justification through a third-party system. How has everyone else got round this issue?
Kind Regards
-
- Product Manager
- Posts: 14818
- Liked: 3074 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam - Deletion Account - Permissions
Hello,
Best regards,
Hannes
we recommend since many years to use XFS / REFS, where synthetic fulls are spaceless. The same applies for object storage with immutability / object lock.it will require us doing a synthetic full and effectively doubling our backup storage requirements
Which permissions do these people need? For example a "restore operator" does not have the permission to delete backups. In Enterprise Manager, one can also configure restore permissions per-machine.If multiple people, all have access to Veeam, then there is a risk that they can delete backups
Best regards,
Hannes
-
- Influencer
- Posts: 18
- Liked: never
- Joined: Mar 16, 2022 12:44 pm
- Full Name: Ben Curtis-Haigh
- Contact:
Re: Veeam - Deletion Account - Permissions
Hello Hannes,
Thanks for that. We use XFS but I configured synthetic fulls and it did show as an extra backup within backup properties. Is this normal?
Kind Regards
Ben
Thanks for that. We use XFS but I configured synthetic fulls and it did show as an extra backup within backup properties. Is this normal?
Kind Regards
Ben
-
- Product Manager
- Posts: 14818
- Liked: 3074 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam - Deletion Account - Permissions
Hello,
yes, the GUI does not know about the space savings.
If you do compare "du" vs. "df", you can see the space savings directly on the Linux box
Best regards,
Hannes
yes, the GUI does not know about the space savings.
If you do compare "du" vs. "df", you can see the space savings directly on the Linux box
Best regards,
Hannes
-
- Influencer
- Posts: 18
- Liked: never
- Joined: Mar 16, 2022 12:44 pm
- Full Name: Ben Curtis-Haigh
- Contact:
Re: Veeam - Deletion Account - Permissions
Fantastic, thank you!
Would we need to configure fast cloning first though?
Would we need to configure fast cloning first though?
-
- Product Manager
- Posts: 14818
- Liked: 3074 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
-
- Influencer
- Posts: 18
- Liked: never
- Joined: Mar 16, 2022 12:44 pm
- Full Name: Ben Curtis-Haigh
- Contact:
Re: Veeam - Deletion Account - Permissions
Thanks. Just on the permissions.
We want to be able to edit jobs, start stop them and restore. But not delete. I don't think there is a permission for this?
We want to be able to edit jobs, start stop them and restore. But not delete. I don't think there is a permission for this?
-
- Product Manager
- Posts: 14818
- Liked: 3074 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam - Deletion Account - Permissions
no. just curious... what would be the benefit? I mean, I could just remove everything from a job instead of deleting the job itself and and the result would be the same
-
- Influencer
- Posts: 18
- Liked: never
- Joined: Mar 16, 2022 12:44 pm
- Full Name: Ben Curtis-Haigh
- Contact:
Re: Veeam - Deletion Account - Permissions
Sorry I mean unable to delete job and data inside of job.
-
- Product Manager
- Posts: 14818
- Liked: 3074 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam - Deletion Account - Permissions
data is always outside the job, in the backups section
sounds like the "backup operator" role is pretty close. Allowing to "edit" a backup job would be almost allowing to "delete data" (if no immutability is used). Somebody could just set the retention window to 1 day. That deletes everything older 1 day. Then he enables encryption and waits for one day.
I think "backup operator" and "Hardened Repository" is what meets all your needs.
sounds like the "backup operator" role is pretty close. Allowing to "edit" a backup job would be almost allowing to "delete data" (if no immutability is used). Somebody could just set the retention window to 1 day. That deletes everything older 1 day. Then he enables encryption and waits for one day.
I think "backup operator" and "Hardened Repository" is what meets all your needs.
Who is online
Users browsing this forum: Bing [Bot], mdippold and 73 guests