Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
MichaelG7
Influencer
Posts: 16
Liked: 1 time
Joined: Jul 05, 2018 7:55 am
Full Name: Michael
Location: Germany
Contact:

Feature request: Bare Metal Restore Permission

Post by MichaelG7 »

When performing a bare metal restore I had to use our privileged backup admin user to access the repository. This lead to the fact that all agent backups are available.
To have access to any backup file for BMR you will at least need a user with "Veeam Restore Operator" role. You cannot further specify if this user can only restore specific backups or backups from specific repositories... (I tried to limit access to the repositories, but the restore user will always see all agent backups.)

I ask you to implement a delegation for the restore scope in case of BMR.

We have local IT stuff which should be capable to restore only specific workstations. But they should not be able to access agent backups of servers or other privileged machines.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by HannesK »

Hello,
the request makes sense, but I don't see improvements in the near future. RBAC is a complex topic that requires many changes at many points.

In the meantime, I'm thinking about whether the following workarounds could help you: create one repository per agent (with powershell). Multi-tenancy is also possible with Cloud-Connect-Enterprise, but this might be "too much".

Best regards,
Hannes
MichaelG7
Influencer
Posts: 16
Liked: 1 time
Joined: Jul 05, 2018 7:55 am
Full Name: Michael
Location: Germany
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by MichaelG7 »

Hello,
thank you for the workaround. Unfortunately I was not able to use the "repository access permissions" in a meaningful way. Even if the user is not allowed for a specific repository, he is still able to see all backups. How is this feature supposed to work?

Best regards,
Michael
PTide
Product Manager
Posts: 6595
Liked: 805 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by PTide »

Hi,

First of all, do your agents operate in a standalone mode pointing to VBR repo, or they are managed by VBR (i.e. you've configured backup jobs on VBR side)

Thanks!
MichaelG7
Influencer
Posts: 16
Liked: 1 time
Joined: Jul 05, 2018 7:55 am
Full Name: Michael
Location: Germany
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by MichaelG7 »

Our Agents are managed by VBR.
We only have one standalone agent, which we have not been able to configure with VBR, but this is another topic.
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by HannesK »

I was not able to use the "repository access permissions" in a meaningful way
sorry, good point. I forgot that this only works for unmanaged agents (access permissions on the repository).
MichaelG7
Influencer
Posts: 16
Liked: 1 time
Joined: Jul 05, 2018 7:55 am
Full Name: Michael
Location: Germany
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by MichaelG7 »

So the only option would be to run a second instance of VBR to limit the access? (This option would be way to too much..)

I hope that you will be able to implement the feature or at least make the "access permissions on the repository" feature work in case of BMR.

Thank you,
Michael
HannesK
Product Manager
Posts: 15598
Liked: 3445 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature request: Bare Metal Restore Permission

Post by HannesK »

or use unmanaged agents where each agent has it's own repository and only access to this one repository.
Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 11 guests