Discussions specific to the VMware vSphere hypervisor
Post Reply
masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

VBR Users and Roles

Post by masonit » Apr 03, 2013 3:03 pm

Hi

Users and roles inside VBR. Can I use that to limit permissions inside VBR?

I want to grant my collegues to rdp to veeam backup server and start VBR. But inside VBR I want to set different permissions depending of their Veeam knowledge.

Right now I have placed a local test user (not local admin) in local remote desktop users group and I am able to rdp and login on the server. I have also created a local Veeam Backup Viewer group. In VBR Users and Roles I have added the Veeam Backup Viewer group with role Veeam Backup Viewer. When I start VBR it only says "SQL server is not available".

Is it possible to do what I want? What am I doing wrong? I know you can set similiar permisson inside Veeam Backup Enterprise Manager. But I want to use VBR.

\Masonit

Vitaliy S.
Product Manager
Posts: 23003
Liked: 1558 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VBR Users and Roles

Post by Vitaliy S. » Apr 03, 2013 3:32 pm

Hello Magnus,
masonit wrote:Can I use that to limit permissions inside VBR?
You can use built-in security groups to limit access within the backup console (see our User Guide, page 300, for further details).
masonit wrote:When I start VBR it only says "SQL server is not available".
Does the account used to open backup console have access to Veeam database?

Thank you!

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 7:49 am

Vitaliy S. wrote:Hello Magnus,
You can use built-in security groups to limit access within the backup console (see our User Guide, page 300, for further details).
Further details, I can't see any details... :)
masonit wrote:When I start VBR it only says "SQL server is not available".
Vitaliy S. wrote:Does the account used to open backup console have access to Veeam database?Thank you!
I haven't added any specific security permission to the sql server for the test user. Shouldn't VBR fix that when I add the user to a role?
If I have to add this manually. What permissions should I give the users for the different roles?

\Masonit

veremin
Product Manager
Posts: 16901
Liked: 1439 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: VBR Users and Roles

Post by veremin » Apr 04, 2013 9:04 am

Further details, I can't see any details.
The information about VB&R built-in security groups can be found in the corresponding User Guide at page number 289.
I haven't added any specific security permission to the sql server for the test user.
In order to open VB&R console and perform actions within it, test user should have access to the VB&R SQL database. In case of Backup operator role, with a DB access granted for him, test user won’t be able to perform any administrative activities, apart from opening a console and starting/stopping existing jobs.
What permissions should I give the users for the different roles?
As far as I’m concerned, test user should have db_owner database access.

Hope this helps.
Thanks.

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 9:54 am

v.Eremin wrote: As far as I’m concerned, test user should have db_owner database access.

Hope this helps.
Thanks.
Thanks seems to work now!

But one more question. In sql server I try to set the permissions the same way as for local administrator. But without the server role sysadmin. The local administrator is dbo and uses default schema dbo. I try to add permisson to a group and everthing works fine besides adding default schema dbo. It is a limitation in SQL that you can't set default schema on groups, only users. Could this be a problem? Not having set default schema? If so then I have to add each user individualy.

\Masonit

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 10:17 am

I am testing with a user that is member in both backup and restore operator. It looks fine in VBR. But when I try to run restore guest files (windows). I get an rpc error saying that I am not member of BUILTIN\Administrators. Yes I am not but I don't want the users to be local admin on the server. Can I add permisssions to some folder on the veeam backup server to get the restore to work?

\Masonit

veremin
Product Manager
Posts: 16901
Liked: 1439 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: VBR Users and Roles

Post by veremin » Apr 04, 2013 10:35 am

I try to add permisson to a group and everthing works fine besides adding default schema dbo.
It’s expected behavior – SQL server, by design, doesn’t allow you to set default schema for domain group.

It’s primarily related to the fact a Windows user has typically a membership in multiple Windows groups. More than one of those Windows groups could have access to the SQL Server and to a specific database, especially in larger environments.

Just imagine the following situation: John Smith is a member of Windows Group 1, and Windows Group 2. Assuming both of the groups are allowed to have a default schema, what default schema will be used by John Smith then?

Hope this helps.
Thanks.

veremin
Product Manager
Posts: 16901
Liked: 1439 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: VBR Users and Roles

Post by veremin » Apr 04, 2013 10:47 am

I get an rpc error saying that I am not member of BUILTIN\Administrators.
This is by design, in order to be able to restore files user has to be granted local admin privileges on VB&R machine.

Hope this helps.
Thanks.

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 11:33 am

v.Eremin wrote:
It’s expected behavior –SQL server, by design, doesn’t allow you to set default schema for domain group.

It’s primarily related to the fact a Windows user has typically a membership in multiple Windows groups. More than one of those Windows groups could have access to the SQL Server and to a specific database, especially in larger environments.

Just imagine the following situation: John Smith is a member of Windows Group 1, and Windows Group 2. Assuming both of the groups are allowed to have a default schema, what default schema will be used by John Smith then?

Hope this helps.
Thanks.
Ok thanks! But can I still use groups without setting default schema or should I add users instead with default schema set?
v.Eremin wrote:This is by design, in order to be able to restore files user has to be granted local admin privileges on VB&R machine.

Hope this helps.
Thanks.
OK then I know thank you.

\Masonit

Dima P.
Product Manager
Posts: 10546
Liked: 858 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: VBR Users and Roles

Post by Dima P. » Apr 04, 2013 12:02 pm

Hello Magnus,

I think you may use either groups or default schema, the main idea is not to mess this up in any future reconfiguration.

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 12:39 pm

d.popov wrote:Hello Magnus,

I think you may use either groups or default schema, the main idea is not to mess this up in any future reconfiguration.
Not really sure I understand what you mean.

There must be a reason why you want to use schema? From what I understand if a user with no schema specified. Makes an update. Then a new schema is created for that specific user. This would mean with many users their could also be many schemas. I don't have enough Veeam or sql knowledge to know if that could be a problem.

\Masonit

Dima P.
Product Manager
Posts: 10546
Liked: 858 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: VBR Users and Roles

Post by Dima P. » Apr 04, 2013 1:37 pm

Magnus,

If user does not have default schema and it could not be determined somehow - then dbo schema will be used (per msdn). So reviewing this statement there is no big deal would you add user to schema or don’t. Moreover there are number of strong CONS for adding users to the default schema (no one would like to mess the default, right? :wink: ).

I would grant user access to VBR and Enterprise Manager only with AD (in case you are running under AD) under Users/Groups and Security Policies(possibly) and would not produce any SQL impact on the SQL for backup server for sure.

Cheers!

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 04, 2013 2:13 pm

Ok thanks for the reply. :) I looked at this article: http://blog.sqlauthority.com/2009/09/07 ... ql-server/

"The default schema for a user can be defined by using the DEFAULT_SCHEMA option of the CREATE USER or ALTER USER commands. If no default schema is defined for a user account, SQL Server will assume dbo is the default schema. It is important note that if the user is authenticated by SQL Server via the Windows operating system, no default schema will be associated with the user. Therefore if the user creates an object, a new schema will be created and named the same as the user, and the object will be associated with that user schema, though not directly with the user."

But maybe that is incorrect?

I use only AD authentication. What do you mean with this? "and would not produce any SQL impact on the SQL for backup server for sure."

\Masonit

Dima P.
Product Manager
Posts: 10546
Liked: 858 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: VBR Users and Roles

Post by Dima P. » Apr 04, 2013 3:13 pm 2 people like this post

But maybe that is incorrect?
I would better refer to this. Was not ever deep troubleshooting over there but I believe msdn is the bible - and if its written there then it is true. :D
I use only AD authentication
that’s ok.
What do you mean with this? "and would not produce any SQL impact on the SQL for backup server for sure."
I meant that using user groups is better idea than adding users to default schema, as you mentioned it in a few posts before :D

Cheers.

masonit
Service Provider
Posts: 220
Liked: 16 times
Joined: Oct 09, 2012 2:30 pm
Full Name: Magnus
Contact:

Re: VBR Users and Roles

Post by masonit » Apr 05, 2013 9:19 am 1 person likes this post

Thanks! Everything works as I wanted. :)

\Masonit

Dima P.
Product Manager
Posts: 10546
Liked: 858 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: VBR Users and Roles

Post by Dima P. » Apr 05, 2013 9:26 am

Thank you for your question Magnus.
Glad that we figured this out and you are up and running!

Post Reply

Who is online

Users browsing this forum: Bing [Bot], EdwinW and 41 guests