Discussions specific to the VMware vSphere hypervisor
casaubon
Novice
Posts: 7
Liked: never
Joined: Jan 26, 2012 3:54 pm
Full Name: Antoine
Contact:

VBR "users and role" utility

Post by casaubon » May 04, 2012 9:33 am

Hello,

does anyone use users with the "tools > users and roles" utility ?

i don't understand how it works : i tried to grant a local user VBR6SRV\test with for example the operator role but when i connect to the VBR server (mstsc) with this user:
- I cannot open the VBR console, it's asking me the administrator password
- I cannot use the PowerShell cmdlet as it doesn't work if the user don't have admin right

you will find here the PS error :

Code: Select all

PS C:\Users\test> Add-PSSnapin VeeamPSSnapIn
PS C:\Users\test>
PS C:\Users\test> Get-VBRBackup
Get-VBRBackup : SQL server is not available
At line:1 char:14
+ Get-VBRBackup <<<<
    + CategoryInfo          : InvalidOperation: (Veeam.Backup.Po...nd.GetVBRBackup:GetVBRBackup) [Get-VBRBackup], CApp
   Exception
    + FullyQualifiedErrorId : Backup,Veeam.Backup.PowerShell.Command.GetVBRBackup
so does it make a sense to use this feature ?

Thx for your help !

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR "users and role' utility

Post by foggy » May 04, 2012 10:09 am

Hello, Antoine. The local user you are assigning the operator role to should have access to the Veeam SQL database to be able to open console and perform any actions within it. Once the user gets the DB access, it will be able to open console and start/stop existing jobs (if we are talking about Backup Operator role), but will not be able to perform any other administrative activities.

casaubon
Novice
Posts: 7
Liked: never
Joined: Jan 26, 2012 3:54 pm
Full Name: Antoine
Contact:

Re: VBR "users and role' utility

Post by casaubon » May 04, 2012 2:45 pm

Should this user have a "db_owner" database access or less ?

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR "users and role' utility

Post by foggy » May 04, 2012 3:25 pm

Yes, should have db_owner.

liviu.tutuianu
Enthusiast
Posts: 40
Liked: never
Joined: Jul 09, 2012 8:17 am
Full Name: Liviu Tutuianu
Contact:

Re: VBR "users and role" utility

Post by liviu.tutuianu » Dec 11, 2013 8:46 am

Hello,

Starting from this thread, I see that in v7 we have these roles defined on VBR:

Backup Administrator - Can perform all administrative activities in Veeam Backup & Replication
Backup Operator - Can start and stop existing jobs and perform restore operations
Backup Viewer - Has the “read-only” access to Veeam Backup & Replication – can view existing and performed jobs and review the job session details
Restore Operator - Can perform restore operations using existing backups and replicas

Now, If I want to grant to some AD users access to restore files, but also to start/stop existing backup/replication jobs, I need to add them to both Backup Operator and Restore Operator groups, right?

Also, you say that these users should have db_owner. Could you be more explicit how can I assign theses permissions to my AD users? I am not familiarized with SQL statements. Each of our VBRs are Win2k8 R2, 64 bit, with Veeeam 7 with default installation.

Also, do you know if it possible to assign certain users with the rights from above only on some jobs?

Thanks in advance for your kind feedback,
Liviu

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR "users and role" utility

Post by foggy » Dec 11, 2013 10:43 am

liviu.tutuianu wrote:Now, If I want to grant to some AD users access to restore files, but also to start/stop existing backup/replication jobs, I need to add them to both Backup Operator and Restore Operator groups, right?
Backup Operator role can perform restore operations, as it is stated in your post, so no need to assign second role.
liviu.tutuianu wrote:Also, you say that these users should have db_owner. Could you be more explicit how can I assign theses permissions to my AD users? I am not familiarized with SQL statements.
Just give the corresponding AD user db_owner role in SQL Server Management Studio.
liviu.tutuianu wrote:Also, do you know if it possible to assign certain users with the rights from above only on some jobs?
No, this is not possible with the current security model.

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

[MERGED] Problems with Veeam B&R Console

Post by brunofernandez » Dec 27, 2013 11:24 am

Hey there :D

I'm actually configuring Veeam to allow other persons to have access to the VBR Console.
So i created a Domain Group and putted the group in the server local "Remote Desktop User" group. btw. Veeam and the vCenter is installed on the same Server. This is the reason why o don't want to give them more rights than "RDP"
In Veeam I gave them the "Veeam Backup Viewer Role".
Image

Now, when they trie to open the Console the UAC is asking for a Admin Account. Why is VBR asking for a Admin Account when I only trie to open the console?
Image
Is there another way to allow my users to start the VBR console without to give them local admin rights?

Regards
Bruno

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Dec 27, 2013 11:39 am

Hi Bruno,

Does the account you're trying to use have access to Veeam configuration database?

Thanks!

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Dec 27, 2013 11:43 am

Hi Vitaliy

Thanks for the quick reply and for moving my post.
No, the user/group is not allowed. What permissions do I have to give to them?

Regards
Bruno

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Dec 27, 2013 11:50 am

I believe the permissions should be the following, read/write access might also do the trick:
foggy wrote:Yes, should have db_owner.

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Dec 27, 2013 12:00 pm

i just gave db_owner permission to the group. Still same problem.
i think this is a UAC problem. because when I add the User to the local admin group I can open the console without having permissions on the database :roll:

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Dec 27, 2013 12:11 pm

I have double-checked and you're right local admin account is required to open Veeam backup console. Local admin account is also required when you run FLR sessions.

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Dec 27, 2013 12:21 pm

is there a way to change this? I dont wan't to allow this users to have local admin access.
on the same server i have sql server, vcenter and veeam installed. :oops:

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Dec 27, 2013 12:30 pm

Unfortunately, I'm not aware of any workarounds, but we are going to address this in the next releases.

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Dec 27, 2013 12:36 pm

yes, this would be nice.
because with our environment constellation we can't use "Users and Roles" as long as the console must be opened with admin privileges.

dragos.rosu
Novice
Posts: 9
Liked: 9 times
Joined: Oct 23, 2013 1:10 pm
Full Name: Dragos Rosu
Contact:

Re: VBR "users and role" utility

Post by dragos.rosu » Jan 08, 2014 12:16 pm 8 people like this post

I really hope this post will eventually help someone. These days we had tried to find a way to implement "Users and Roles" Veeam feature into our environment (each of our VBRs are Win2k8 R2, 64 bit -mixed installation of Veeam 6.5 and Veeam 7 ) and we digged deep to find how.

Roles and functions In Veeam 7.0:
Veeam Restore Operator - Can perform restore operations using existing backups and replicas. ONLY
Veeam Backup Viewer - Has the “read-only” access to Veeam Backup & Replication — can view existing and performed jobs and review the job session details.
Veeam Backup Operator - Can start and stop existing jobs. BUT can't use Restore Option
Veeam Backup Administrator -Can perform all administrative activities in Veeam Backup & Replication.
Note:If you need a user to Start/Stop jobs and Restore u need to add it in "Users and Roles" Veeam feature two times - as Backup Operator and Restore Operator.

Note: Another thing we found out is when installing Veeam 6.0 and 6.5 it deploys the DB in MSSQL2005 and when we install Veeam 7.0 it deploys the DB in MSSQl2008R2, so we had two slightly different cases to configure.If you upgraded from 6.0 or 6.5 to 7.0 the DB remains the same in MSSQL2005.

1. For Veeam 6.0, 6.5, 7.0 with MSSQL2005:
-*-go to Veeam under Users and Roles and add the user you need access for.

-*-go to Computer Management->System Tools->Local Users and Groups ->Groups:
a. Add the user you need access for in the built-in group that is created by Veeam named: SQLServer2005MSSQLUser$VBR_NAme$VEEAM -> where VBR_name is the name of the computer where Veeam is installed;
b. Add the user to a remote users group if your environment has this;
c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied;
Note: I don't know exactly what kind of access must have the group from the point C. because we already had a built-in group only for restore purposes.
d. Finish, try to log in.

2. For Veeam 7.0 with MSSQL2008R2:
-*-go to Veeam under Users and Roles and add the user you need access for.

-*-go to Computer Management->System Tools->Local Users and Groups ->Groups:
a. Add the user u need acces for in the built-in group that is created by Veeam named: ServerMSSQLUser$VBR_Name$VEEAMSQL2008R2 -> where VBR_name is the name of the computer where Veeam is installed;
b. Add the user to a remote users group if your environment has this;
c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied.
Note: I don't know exactly what kind of access must have the group from the point C. because we had a build in group only for restore purposes.go to Veeam under Users and Roles and add the user you need acces for.

-*-Install Microsoft® SQL Server® 2008 Management Studio Express -> http://www.microsoft.com/en-us/download ... px?id=7593

-*-Login to the VeeamDB go to Security -> Logins -> New Login. At the Login - New page :
a.go to General -> Search and add the user you need access for;
b. go to User Mapping -> check the check-box at Map where the VeeamBackup is displayed, then database role membership for: VeeamBackup can be modified;
c. check db_owner at Database role membership for VeeamBackup;
d. Hit Ok and you Finished, try to log in.

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Jan 08, 2014 12:20 pm

Dragos, thank you for re-using the existing topic and sharing this post with the community.

liviu.tutuianu
Enthusiast
Posts: 40
Liked: never
Joined: Jul 09, 2012 8:17 am
Full Name: Liviu Tutuianu
Contact:

Re: VBR "users and role" utility

Post by liviu.tutuianu » Jan 08, 2014 1:35 pm

dragos.rosu wrote: c. Add the user to a group that can override security restrictions but is not Administrator, otherwise when you try to make a restore the user will have access only to the files from drive C: and on the rest of the drives it will get the Error: Access is Denied;
Note: I don't know exactly what kind of access must have the group from the point C. because we already had a built-in group only for restore purposes.
-> The built-in Backup Operators group is the most suitable..

@Dragos: Excellent work.

All the best,
Liviu

Andreas Neufert
Veeam Software
Posts: 3627
Liked: 638 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: VBR "users and role" utility

Post by Andreas Neufert » Jan 08, 2014 2:08 pm

Again thank you for sharing this. Looking forward to the next Call/Meeting. CU Andy

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Jan 28, 2014 2:16 pm

thank you for sharing your information with us.
but I still recieve the User Account Control pop up and can't open the Veeam console with user whitch are not local admins :cry:

Edit: I also added the User Group to the Backup Operators local group but no chance

MarcoZ
Novice
Posts: 3
Liked: never
Joined: Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle
Contact:

Re: VBR "users and role" utility

Post by MarcoZ » Feb 06, 2014 1:42 pm

brunofernandez wrote:thank you for sharing your information with us.
but I still recieve the User Account Control pop up and can't open the Veeam console with user whitch are not local admins :cry:

Edit: I also added the User Group to the Backup Operators local group but no chance
Some problem here and I don't want the Restore Operators to be local admin on the server.

Any idea how to get this to work?

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Feb 06, 2014 2:11 pm

Local admin account is required to open Veeam backup console, however you can use Enterprise Manager to perform FLR restores. In this case you don't need to add your account to the local admin group on the backup server.

brunofernandez
Novice
Posts: 9
Liked: never
Joined: Dec 27, 2013 11:11 am
Full Name: Bruno Fernandez
Contact:

Re: VBR "users and role" utility

Post by brunofernandez » Feb 06, 2014 4:00 pm

Vitaliy S. wrote:Unfortunately, I'm not aware of any workarounds, but we are going to address this in the next releases.
Vitaliy said to me that they will resolv this problem in the next releases :wink:

MarcoZ
Novice
Posts: 3
Liked: never
Joined: Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle
Contact:

Re: VBR "users and role" utility

Post by MarcoZ » Feb 07, 2014 10:18 am

Vitaliy S. wrote:Local admin account is required to open Veeam backup console, however you can use Enterprise Manager to perform FLR restores. In this case you don't need to add your account to the local admin group on the backup server.
but for Enterprise Manager you need enterprise licenses before you can use the restore option :(

Vitaliy S.
Product Manager
Posts: 22694
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR "users and role" utility

Post by Vitaliy S. » Feb 07, 2014 10:22 am

Enterprise Manager itself does not require enterprise license edition, however in order to use 1-click FLR you should have either Enterprise or Enterprise Plus edition.

MarcoZ
Novice
Posts: 3
Liked: never
Joined: Feb 06, 2014 1:34 pm
Full Name: Marco Zoutewelle
Contact:

Re: VBR "users and role" utility

Post by MarcoZ » Feb 07, 2014 10:52 am

Vitaliy S. wrote:Enterprise Manager itself does not require enterprise license edition, however in order to use 1-click FLR you should have either Enterprise or Enterprise Plus edition.
Yeah that's the problem, we use Standard licenses. So for now I should give the restore operators local admin rights to the server. Hopefully this will be changed in future releases

Ben Milligan
Expert
Posts: 173
Liked: 40 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: VBR "users and role" utility

Post by Ben Milligan » Feb 11, 2014 1:53 pm 1 person likes this post

Thank you, Dragos, for your post. We have created a KB article as well that describes these roles as well.

http://www.veeam.com/kb1853

Thanks!

r1819m
Lurker
Posts: 1
Liked: never
Joined: Feb 13, 2014 9:47 pm
Full Name: Ryan Muehling
Contact:

[MERGED] Permissions

Post by r1819m » Feb 13, 2014 9:53 pm

I am trying to give a group of people read only access in Veeam. Which is a very easy setup in Veeam BUT the problem starts with local server access. I really do not want to give the local admin access but seems like i might have to in order to start veeam. I am hosting veeam on server 2008 R2. Anyone have any advise or know a fix? thanks!

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR "users and role" utility

Post by foggy » Feb 14, 2014 5:29 am

Ryan, please review this thread for some hints and feel free to ask if any clarification is required. Thanks.

wilkins44
Enthusiast
Posts: 32
Liked: 5 times
Joined: Sep 24, 2013 11:17 am
Full Name: Jay Wilkins
Contact:

Re: VBR "users and role" utility

Post by wilkins44 » Mar 11, 2016 5:58 pm

Sorry to dig up an old post, but did the permissions change for some of the roles with V8?

I've got a group of operators that monitor the status and completion of our backup jobs. They will occasionally need to start or stop jobs, so Backup Operator is the role that they've got now. In V7 we gave them the Backup Operator role, and they were able to import and export tapes. We did the same thing for V8, but now they can't do the import or export. The only other change is that we are using the tape proxy feature on the repository instead of connecting the B&R up to the autoloader.

I'm able to import and export as an administrator, but I'd like to get things set up so I don't have to do this for them every week.

I'd rather not give them Restore Operator permissions since they don't do any restores, but if that's the only option...

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 21 guests