Veeam - Deletion Account - Permissions

rbbch · Post by **rbbch** » Nov 21, 2022 10:43 am this post

Hello All,

Hope everyone is well.

Hoping to try and get somewhere with this OR see how others have got it configured. Data loss is a real concern for me. Veeam permissions are pretty poor as it seems you can only really give all or nothing, it's not granular at all like vSphere. If multiple people, all have access to Veeam, then there is a risk that they can delete backups. Immutability is something we would use, but because it requires forward incremental, it will require us doing a synthetic full and effectively doubling our backup storage requirements. We have a massive number of backups so this wouldn't be suitable. We currently use FFI.

My thoughts were to create some sort of deletion accounts (global admin type accounts) which are only used when deletions need to be done and would require justification through a third-party system. How has everyone else got round this issue?

Kind Regards

Nov 22, 2022 6:17 am

Hello,

it will require us doing a synthetic full and effectively doubling our backup storage requirements

we recommend since many years to use XFS / REFS, where synthetic fulls are spaceless. The same applies for object storage with immutability / object lock.

If multiple people, all have access to Veeam, then there is a risk that they can delete backups

Which permissions do these people need? For example a "restore operator" does not have the permission to delete backups. In Enterprise Manager, one can also configure restore permissions per-machine.

Best regards,
Hannes

rbbch · Post by **rbbch** » Nov 22, 2022 9:05 am this post

Hello Hannes,

Thanks for that. We use XFS but I configured synthetic fulls and it did show as an extra backup within backup properties. Is this normal?

Kind Regards
Ben

Nov 22, 2022 11:57 am

Hello,
yes, the GUI does not know about the space savings.

If you do compare "du" vs. "df", you can see the space savings directly on the Linux box

Best regards,
Hannes

rbbch · Post by **rbbch** » Nov 22, 2022 4:06 pm this post

Fantastic, thank you!

Would we need to configure fast cloning first though?

Nov 22, 2022 4:37 pm

Hello,
yes, there is a checkbox: "use fast cloning on XFS"

Best regards,
Hannes

rbbch · Post by **rbbch** » Nov 23, 2022 9:42 am this post

Thanks. Just on the permissions.

We want to be able to edit jobs, start stop them and restore. But not delete. I don't think there is a permission for this?

Post by **HannesK** » Nov 23, 2022 12:34 pm this post

no. just curious... what would be the benefit? I mean, I could just remove everything from a job instead of deleting the job itself and and the result would be the same

rbbch · Post by **rbbch** » Nov 23, 2022 2:16 pm this post

Sorry I mean unable to delete job and data inside of job.

Nov 23, 2022 3:16 pm

data is always outside the job, in the backups section

sounds like the "backup operator" role is pretty close. Allowing to "edit" a backup job would be almost allowing to "delete data" (if no immutability is used). Somebody could just set the retention window to 1 day. That deletes everything older 1 day. Then he enables encryption and waits for one day.

I think "backup operator" and "Hardened Repository" is what meets all your needs.

R&D Forums

Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Re: Veeam - Deletion Account - Permissions

Who is online