VBR Users and Roles

[masonit]

Hi

Users and roles inside VBR. Can I use that to limit permissions inside VBR?

I want to grant my collegues to rdp to veeam backup server and start VBR. But inside VBR I want to set different permissions depending of their Veeam knowledge.

Right now I have placed a local test user (not local admin) in local remote desktop users group and I am able to rdp and login on the server. I have also created a local Veeam Backup Viewer group. In VBR Users and Roles I have added the Veeam Backup Viewer group with role Veeam Backup Viewer. When I start VBR it only says "SQL server is not available".

Is it possible to do what I want? What am I doing wrong? I know you can set similiar permisson inside Veeam Backup Enterprise Manager. But I want to use VBR.

\Masonit

[Vitaliy S.]

Hello Magnus,

Can I use that to limit permissions inside VBR?

You can use built-in security groups to limit access within the backup console (see our User Guide, page 300, for further details).

When I start VBR it only says "SQL server is not available".

Does the account used to open backup console have access to Veeam database?

Thank you!

[masonit]

Hello Magnus,
You can use built-in security groups to limit access within the backup console (see our User Guide, page 300, for further details).

Further details, I can't see any details...

When I start VBR it only says "SQL server is not available".

Does the account used to open backup console have access to Veeam database?Thank you!

I haven't added any specific security permission to the sql server for the test user. Shouldn't VBR fix that when I add the user to a role?
If I have to add this manually. What permissions should I give the users for the different roles?

\Masonit

[veremin]

Further details, I can't see any details.

The information about VB&R built-in security groups can be found in the corresponding User Guide at page number 289.

I haven't added any specific security permission to the sql server for the test user.

In order to open VB&R console and perform actions within it, test user should have access to the VB&R SQL database. In case of Backup operator role, with a DB access granted for him, test user won’t be able to perform any administrative activities, apart from opening a console and starting/stopping existing jobs.

What permissions should I give the users for the different roles?

As far as I’m concerned, test user should have db_owner database access.

Hope this helps.
Thanks.

[masonit]

As far as I’m concerned, test user should have db_owner database access.

Hope this helps.
Thanks.

Thanks seems to work now!

But one more question. In sql server I try to set the permissions the same way as for local administrator. But without the server role sysadmin. The local administrator is dbo and uses default schema dbo. I try to add permisson to a group and everthing works fine besides adding default schema dbo. It is a limitation in SQL that you can't set default schema on groups, only users. Could this be a problem? Not having set default schema? If so then I have to add each user individualy.

\Masonit

[masonit]

I am testing with a user that is member in both backup and restore operator. It looks fine in VBR. But when I try to run restore guest files (windows). I get an rpc error saying that I am not member of BUILTIN\Administrators. Yes I am not but I don't want the users to be local admin on the server. Can I add permisssions to some folder on the veeam backup server to get the restore to work?

\Masonit

[veremin]

I try to add permisson to a group and everthing works fine besides adding default schema dbo.

It’s expected behavior – SQL server, by design, doesn’t allow you to set default schema for domain group.

It’s primarily related to the fact a Windows user has typically a membership in multiple Windows groups. More than one of those Windows groups could have access to the SQL Server and to a specific database, especially in larger environments.

Just imagine the following situation: John Smith is a member of Windows Group 1, and Windows Group 2. Assuming both of the groups are allowed to have a default schema, what default schema will be used by John Smith then?

Hope this helps.
Thanks.

[veremin]

I get an rpc error saying that I am not member of BUILTIN\Administrators.

This is by design, in order to be able to restore files user has to be granted local admin privileges on VB&R machine.

Hope this helps.
Thanks.

[masonit]

It’s expected behavior –SQL server, by design, doesn’t allow you to set default schema for domain group.

It’s primarily related to the fact a Windows user has typically a membership in multiple Windows groups. More than one of those Windows groups could have access to the SQL Server and to a specific database, especially in larger environments.

Just imagine the following situation: John Smith is a member of Windows Group 1, and Windows Group 2. Assuming both of the groups are allowed to have a default schema, what default schema will be used by John Smith then?

Hope this helps.
Thanks.

Ok thanks! But can I still use groups without setting default schema or should I add users instead with default schema set?

This is by design, in order to be able to restore files user has to be granted local admin privileges on VB&R machine.

Hope this helps.
Thanks.

OK then I know thank you.

\Masonit

[Dima P.]

Hello Magnus,

I think you may use either groups or default schema, the main idea is not to mess this up in any future reconfiguration.

[masonit]

Hello Magnus,

I think you may use either groups or default schema, the main idea is not to mess this up in any future reconfiguration.

Not really sure I understand what you mean.

There must be a reason why you want to use schema? From what I understand if a user with no schema specified. Makes an update. Then a new schema is created for that specific user. This would mean with many users their could also be many schemas. I don't have enough Veeam or sql knowledge to know if that could be a problem.

\Masonit

[Dima P.]

Magnus,

If user does not have default schema and it could not be determined somehow - then dbo schema will be used (per msdn). So reviewing this statement there is no big deal would you add user to schema or don’t. Moreover there are number of strong CONS for adding users to the default schema (no one would like to mess the default, right? ).

I would grant user access to VBR and Enterprise Manager only with AD (in case you are running under AD) under Users/Groups and Security Policies(possibly) and would not produce any SQL impact on the SQL for backup server for sure.

Cheers!

[masonit]

Ok thanks for the reply. I looked at this article: http://blog.sqlauthority.com/2009/09/07 ... ql-server/

"The default schema for a user can be defined by using the DEFAULT_SCHEMA option of the CREATE USER or ALTER USER commands. If no default schema is defined for a user account, SQL Server will assume dbo is the default schema. It is important note that if the user is authenticated by SQL Server via the Windows operating system, no default schema will be associated with the user. Therefore if the user creates an object, a new schema will be created and named the same as the user, and the object will be associated with that user schema, though not directly with the user."

But maybe that is incorrect?

I use only AD authentication. What do you mean with this? "and would not produce any SQL impact on the SQL for backup server for sure."

\Masonit

[Dima P.]

But maybe that is incorrect?

I would better refer to this. Was not ever deep troubleshooting over there but I believe msdn is the bible - and if its written there then it is true.

I use only AD authentication

that’s ok.

What do you mean with this? "and would not produce any SQL impact on the SQL for backup server for sure."

I meant that using user groups is better idea than adding users to default schema, as you mentioned it in a few posts before

Cheers.

[masonit]

Thanks! Everything works as I wanted.

\Masonit

[Dima P.]

Thank you for your question Magnus.
Glad that we figured this out and you are up and running!