Is there a possibility to connect Veeam to a central directory service to manage users and permissions? For example LDAP, Active Directory, Azure AD? If not, is there a possibility to export the currently created users and their permissions (e.g. in Excel, CSV file)?
We currently have 1 user group in AD that allows users to access our backup server but these users are in then manually added to the Veeam internal role Veeam Backup Administrator. Is there a possibility to create ad groups that are then automatically added to the other available Roles in Veeam.
-
swandoug
- Lurker
- Posts: 2
- Liked: never
- Joined: May 28, 2020 4:03 pm
- Full Name: Douglas Swan
- Contact:
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Roles in Veeam
Yes, we are integrated in the Windows and Active Directory user control.
You can create one Active Directory Group for each role within Veeam and set it up.
Then add users and groups to these AD groups for giving them permission on the Veeam Server.
The Veeam Server need to be a memeber of the AD so that you can lookup the users and groups there.
It is best practice to NOT add Veeam to the AD group. It is to protect you from Ransomware better.
Other option is to create a separate shielded AD for the backup zone.
You can create one Active Directory Group for each role within Veeam and set it up.
Then add users and groups to these AD groups for giving them permission on the Veeam Server.
The Veeam Server need to be a memeber of the AD so that you can lookup the users and groups there.
It is best practice to NOT add Veeam to the AD group. It is to protect you from Ransomware better.
Other option is to create a separate shielded AD for the backup zone.
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Roles in Veeam
Other option is to use the SelfService capabilities of the Enterprise Manager. Then only this system get´s connected to LDAP/AD for user selection.
-
swandoug
- Lurker
- Posts: 2
- Liked: never
- Joined: May 28, 2020 4:03 pm
- Full Name: Douglas Swan
- Contact:
Re: Roles in Veeam
"It is best practice to NOT add Veeam to the AD group. It is to protect you from Ransomware better."
So user and group membership would have to be handled on the Backupserver itself, is there a way to extract the users and groups from Veeam and deliver this information to a IAM software for user/rights provisioning?
So user and group membership would have to be handled on the Backupserver itself, is there a way to extract the users and groups from Veeam and deliver this information to a IAM software for user/rights provisioning?
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Roles in Veeam
If you add it to AD or to the IAM is the same issue. If one of the system is compromised it affects production and backup in the same way.
So the best practices with all the ransomware plus manual hacker attacks in combination is to avoid user rights management centralization.
And technically, yes of cause you can automate things.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
but to be honest I would not use this option. Usually any IAM can handle Windows User and Groups.
So I would create groups in the local windows and give it the needed rights within Veeam user management.
Then you IAM can just handle Windows User creation and group membership which any IAM should be able to do.
So the best practices with all the ransomware plus manual hacker attacks in combination is to avoid user rights management centralization.
And technically, yes of cause you can automate things.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
but to be honest I would not use this option. Usually any IAM can handle Windows User and Groups.
So I would create groups in the local windows and give it the needed rights within Veeam user management.
Then you IAM can just handle Windows User creation and group membership which any IAM should be able to do.
-
Andreas Neufert
- VP, Product Management
- Posts: 6747
- Liked: 1408 times
- Joined: May 04, 2011 8:36 am
- Full Name: Andreas Neufert
- Location: Germany
- Contact:
Re: Roles in Veeam
For the guest processing of the production VMs, you can use as well an IAM to do frequent maybe even random password changes.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
I have a customer that reset every day the passwords used for guest processing on the production server locally and update through IAM within Veeam (with the above powershell commands) the same random password.
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
I have a customer that reset every day the passwords used for guest processing on the production server locally and update through IAM within Veeam (with the above powershell commands) the same random password.
Who is online
Users browsing this forum: No registered users and 85 guests