VBR "users and role" utility

VMware specific discussions

Re: VBR "users and role" utility

Veeam Logoby dragos.rosu » Wed Jan 08, 2014 12:16 pm 8 people like this post

I really hope this post will eventually help someone. These days we had tried to find a way to implement "Users and Roles" Veeam feature into our environment (each of our VBRs are Win2k8 R2, 64 bit -mixed installation of Veeam 6.5 and Veeam 7 ) and we digged deep to find how.

Roles and functions In Veeam 7.0:
Veeam Restore Operator - Can perform restore operations using existing backups and replicas. ONLY
Veeam Backup Viewer - Has the “read-only” access to Veeam Backup & Replication — can view existing and performed jobs and review the job session details.
Veeam Backup Operator - Can start and stop existing jobs. BUT can't use Restore Option
Veeam Backup Administrator -Can perform all administrative activities in Veeam Backup & Replication.
Note:If you need a user to Start/Stop jobs and Restore u need to add it in "Users and Roles" Veeam feature two times - as Backup Operator and Restore Operator.

Note: Another thing we found out is when installing Veeam 6.0 and 6.5 it deploys the DB in MSSQL2005 and when we install Veeam 7.0 it deploys the DB in MSSQl2008R2, so we had two slightly different cases to configure.If you upgraded from 6.0 or 6.5 to 7.0 the DB remains the same in MSSQL2005.

1. For Veeam 6.0, 6.5, 7.0 with MSSQL2005:
-*-go to Veeam under Users and Roles and add the user you need access for.

-*-go to Computer Management->System Tools->Local Users and Groups ->Groups:
a. Add the user you need access for in the built-in group that is created by Veeam named: SQLServer2005MSSQLUser$VBR_NAme$VEEAM -> where VBR_name is the name of the computer where Veeam is installed;
b. Add the user to a remote users group if your environment has this;
c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied;
Note: I don't know exactly what kind of access must have the group from the point C. because we already had a built-in group only for restore purposes.
d. Finish, try to log in.

2. For Veeam 7.0 with MSSQL2008R2:
-*-go to Veeam under Users and Roles and add the user you need access for.

-*-go to Computer Management->System Tools->Local Users and Groups ->Groups:
a. Add the user u need acces for in the built-in group that is created by Veeam named: ServerMSSQLUser$VBR_Name$VEEAMSQL2008R2 -> where VBR_name is the name of the computer where Veeam is installed;
b. Add the user to a remote users group if your environment has this;
c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied.
Note: I don't know exactly what kind of access must have the group from the point C. because we had a build in group only for restore purposes.go to Veeam under Users and Roles and add the user you need acces for.

-*-Install Microsoft® SQL Server® 2008 Management Studio Express -> http://www.microsoft.com/en-us/download ... px?id=7593

-*-Login to the VeeamDB go to Security -> Logins -> New Login. At the Login - New page :
a.go to General -> Search and add the user you need access for;
b. go to User Mapping -> check the check-box at Map where the VeeamBackup is displayed, then database role membership for: VeeamBackup can be modified;
c. check db_owner at Database role membership for VeeamBackup;
d. Hit Ok and you Finished, try to log in.
dragos.rosu
Novice
 
Posts: 9
Liked: 9 times
Joined: Wed Oct 23, 2013 1:10 pm
Full Name: Dragos Rosu

Re: VBR "users and role" utility

Veeam Logoby Vitaliy S. » Wed Jan 08, 2014 12:20 pm

Dragos, thank you for re-using the existing topic and sharing this post with the community.
Vitaliy S.
Veeam Software
 
Posts: 19564
Liked: 1103 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: VBR "users and role" utility

Veeam Logoby liviu.tutuianu » Wed Jan 08, 2014 1:35 pm

dragos.rosu wrote:c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied;
Note: I don't know exactly what kind of access must have the group from the point C. because we already had a built-in group only for restore purposes.
-> The built-in Backup Operators group is the most suitable..

@Dragos: Excellent work.

All the best,
Liviu
liviu.tutuianu
Enthusiast
 
Posts: 40
Liked: never
Joined: Mon Jul 09, 2012 8:17 am
Full Name: Liviu Tutuianu

Re: VBR "users and role" utility

Veeam Logoby Andreas Neufert » Wed Jan 08, 2014 2:08 pm

Again thank you for sharing this. Looking forward to the next Call/Meeting. CU Andy
Andreas Neufert
Veeam Software
 
Posts: 2201
Liked: 360 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: VBR "users and role" utility

Veeam Logoby brunofernandez » Tue Jan 28, 2014 2:16 pm

thank you for sharing your information with us.
but I still recieve the User Account Control pop up and can't open the Veeam console with user whitch are not local admins :cry:

Edit: I also added the User Group to the Backup Operators local group but no chance
brunofernandez
Novice
 
Posts: 9
Liked: never
Joined: Fri Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez

Re: VBR "users and role" utility

Veeam Logoby MarcoZ » Thu Feb 06, 2014 1:42 pm

brunofernandez wrote:thank you for sharing your information with us.
but I still recieve the User Account Control pop up and can't open the Veeam console with user whitch are not local admins :cry:

Edit: I also added the User Group to the Backup Operators local group but no chance

Some problem here and I don't want the Restore Operators to be local admin on the server.

Any idea how to get this to work?
MarcoZ
Novice
 
Posts: 3
Liked: never
Joined: Thu Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle

Re: VBR "users and role" utility

Veeam Logoby Vitaliy S. » Thu Feb 06, 2014 2:11 pm

Local admin account is required to open Veeam backup console, however you can use Enterprise Manager to perform FLR restores. In this case you don't need to add your account to the local admin group on the backup server.
Vitaliy S.
Veeam Software
 
Posts: 19564
Liked: 1103 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: VBR "users and role" utility

Veeam Logoby brunofernandez » Thu Feb 06, 2014 4:00 pm

Vitaliy S. wrote:Unfortunately, I'm not aware of any workarounds, but we are going to address this in the next releases.

Vitaliy said to me that they will resolv this problem in the next releases :wink:
brunofernandez
Novice
 
Posts: 9
Liked: never
Joined: Fri Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez

Re: VBR "users and role" utility

Veeam Logoby MarcoZ » Fri Feb 07, 2014 10:18 am

Vitaliy S. wrote:Local admin account is required to open Veeam backup console, however you can use Enterprise Manager to perform FLR restores. In this case you don't need to add your account to the local admin group on the backup server.

but for Enterprise Manager you need enterprise licenses before you can use the restore option :(
MarcoZ
Novice
 
Posts: 3
Liked: never
Joined: Thu Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle

Re: VBR "users and role" utility

Veeam Logoby Vitaliy S. » Fri Feb 07, 2014 10:22 am

Enterprise Manager itself does not require enterprise license edition, however in order to use 1-click FLR you should have either Enterprise or Enterprise Plus edition.
Vitaliy S.
Veeam Software
 
Posts: 19564
Liked: 1103 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: VBR "users and role" utility

Veeam Logoby MarcoZ » Fri Feb 07, 2014 10:52 am

Vitaliy S. wrote:Enterprise Manager itself does not require enterprise license edition, however in order to use 1-click FLR you should have either Enterprise or Enterprise Plus edition.

Yeah that's the problem, we use Standard licenses. So for now I should give the restore operators local admin rights to the server. Hopefully this will be changed in future releases
MarcoZ
Novice
 
Posts: 3
Liked: never
Joined: Thu Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle

Re: VBR "users and role" utility

Veeam Logoby Ben Milligan » Tue Feb 11, 2014 1:53 pm 1 person likes this post

Thank you, Dragos, for your post. We have created a KB article as well that describes these roles as well.

http://www.veeam.com/kb1853

Thanks!
Ben Milligan
Veeam Software
 
Posts: 170
Liked: 37 times
Joined: Sun Jan 01, 2006 1:01 am

[MERGED] Permissions

Veeam Logoby r1819m » Thu Feb 13, 2014 9:53 pm

I am trying to give a group of people read only access in Veeam. Which is a very easy setup in Veeam BUT the problem starts with local server access. I really do not want to give the local admin access but seems like i might have to in order to start veeam. I am hosting veeam on server 2008 R2. Anyone have any advise or know a fix? thanks!
r1819m
Lurker
 
Posts: 1
Liked: never
Joined: Thu Feb 13, 2014 9:47 pm
Full Name: Ryan Muehling

Re: VBR "users and role" utility

Veeam Logoby foggy » Fri Feb 14, 2014 5:29 am

Ryan, please review this thread for some hints and feel free to ask if any clarification is required. Thanks.
foggy
Veeam Software
 
Posts: 14743
Liked: 1081 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: VBR "users and role" utility

Veeam Logoby wilkins44 » Fri Mar 11, 2016 5:58 pm

Sorry to dig up an old post, but did the permissions change for some of the roles with V8?

I've got a group of operators that monitor the status and completion of our backup jobs. They will occasionally need to start or stop jobs, so Backup Operator is the role that they've got now. In V7 we gave them the Backup Operator role, and they were able to import and export tapes. We did the same thing for V8, but now they can't do the import or export. The only other change is that we are using the tape proxy feature on the repository instead of connecting the B&R up to the autoloader.

I'm able to import and export as an administrator, but I'd like to get things set up so I don't have to do this for them every week.

I'd rather not give them Restore Operator permissions since they don't do any restores, but if that's the only option...
wilkins44
Enthusiast
 
Posts: 28
Liked: 5 times
Joined: Tue Sep 24, 2013 11:17 am
Full Name: Jay Wilkins

PreviousNext

Return to VMware vSphere



Who is online

Users browsing this forum: DGrinev and 36 guests