We delegate the right to restore virtual machines, files and application objects using Enterprise Manager
In a recent post , it was discussed how you can delegate file recovery operations to virtual users using the Veeam Self-Service File Restore web portal. Today, as promised, I will talk about delegating the rights to restore various objects from a backup using Veeam Backup Enterprise Manager.
In organizations (especially large ones), over time it becomes necessary to divide the areas of responsibility of IT professionals. For example, one of them is responsible for the operation of the database servers, the other for the mail servers, the third for SharePoint, and so on. In addition, a support service for internal users is being organized, and its responsibilities include, among other things, assistance in restoring specific machines, files, etc. To perform recovery tasks, people will need the appropriate rights and user-friendly interface. Here it is reasonable to use Veeam Backup Enterprise Manager, in particular, its user role settings.
For details, welcome under cat.
Before starting the delegation of rights, make sure that the Veeam Backup Enterprise Manager service runs under an account that is included in the Active Directory domain - then you can assign the necessary roles to users and groups from AD.
')
We go to the Enterprise Manager web portal using an account with portal administrator privileges - by default, the person who performed the installation and those who belong to the local administrators group on this machine have it.
Important! If you have a version of Veeam Backup & Replication Enterprise Plus, then the scope can be varied up to the machine; in other cases, the scope will include all VMs ( All VMs ), but the flexibility in assigning rights is quite sufficient - it can be the entire virtual machine, all of the files taken separately.
For our user who has the role of Portal User or Restore Operator , we want to select specific machines that he will be allowed to restore.
Click OK to save the settings.
If the delegation of restoration rights at the VM level is sufficient, then our steps are completed.
If you need to issue rights with a high level of granularity, then go ahead.
In the same Account dialog, go to the Allow restore of options and select what will be allowed to be restored to this user:
All these administrators will see the backups of their applications and will be able to restore the necessary objects by opening the Items tab in Enterprise Manager. In more detail, the recovery processes for these applications are described in the " Backup and Restore of Application Items " user's manual.
Finally, click OK , saving the settings.
It should be borne in mind that the "scope" is updated automatically once a day, as well as after any editing of rights according to the described procedure.
This completes the role setup procedure.
In organizations (especially large ones), over time it becomes necessary to divide the areas of responsibility of IT professionals. For example, one of them is responsible for the operation of the database servers, the other for the mail servers, the third for SharePoint, and so on. In addition, a support service for internal users is being organized, and its responsibilities include, among other things, assistance in restoring specific machines, files, etc. To perform recovery tasks, people will need the appropriate rights and user-friendly interface. Here it is reasonable to use Veeam Backup Enterprise Manager, in particular, its user role settings.
For details, welcome under cat.
Assigning roles
Before starting the delegation of rights, make sure that the Veeam Backup Enterprise Manager service runs under an account that is included in the Active Directory domain - then you can assign the necessary roles to users and groups from AD.
')
We go to the Enterprise Manager web portal using an account with portal administrator privileges - by default, the person who performed the installation and those who belong to the local administrators group on this machine have it.
- Click Configuration at the top right and then at the left select the Roles tab:
- To add a new portal user, click Add .
- In the dialog that opens, we start with the Account type field:
- In the drop-down list, select User , if we want to give rights to a single user.
- To assign rights to a group, we select, respectively, Group .
- In the Account field we enter the account to which we will assign the rights in the format domain / name .
- Go to the list of user roles Enterprise Manager.
- Portal Administrator - those who are assigned this role get access to all the settings and features of the Enterprise Manager. They will be able to search and restore any backup virtual machines and files, as well as set the parameters of the Enterprise Manager in the settings panel (by clicking Configuration ). Users with other roles this panel is not available.
- Portal User and Restore Operator - users with such roles, as a rule, have access to a limited number of virtual machines (this is their "allowed scope"). For example, it is reasonable for the database administrator to grant the right to restore SQL and Oracle servers. On the VMs and Files tabs after login such a user will see only the data of those machines that are included in his “scope”. Portal Users will see backup statistics for VMs available to them in the Dashboards tab.
Important! If you have a version of Veeam Backup & Replication Enterprise Plus, then the scope can be varied up to the machine; in other cases, the scope will include all VMs ( All VMs ), but the flexibility in assigning rights is quite sufficient - it can be the entire virtual machine, all of the files taken separately.
Configuring the "allowed scope"
For our user who has the role of Portal User or Restore Operator , we want to select specific machines that he will be allowed to restore.
- To do this, from the Restore scope options, select Selected virtual machines only and press the Choose button.
- In the Manage scope objects dialog, click on Add object and select what type of object will be added to the list of allowed for restoration by our user:
- Then we select specific objects in the tree:
Click OK to save the settings.
If the delegation of restoration rights at the VM level is sufficient, then our steps are completed.
If you need to issue rights with a high level of granularity, then go ahead.
Assign Granular Rights
In the same Account dialog, go to the Allow restore of options and select what will be allowed to be restored to this user:
- The entire virtual machine — machines from the “scope” outlined earlier will be visible to the user when he opens the VMs tab. One-click recovery of machines is described in detail in the " Performing 1-Click VM Restore " user manual section. In short: an Enterprise or Enterprise Plus license is required; the machine will be restored to its original location (where it was located when creating the backup); recovery from hardware snapshots is not supported from the Enterprise Manager web portal (it works only from the management console Veeam Backup). Guest files will be hidden for the user, unless you select the next option.
- Guest files - options are possible here:
- Allow only restore to original location ( Allow in-place file level restores only ) - in this case, the user will not have the right to save files to his local machine, the Download button will be inactive.
- Allow only file recovery with the following extensions ( Allow restores files with these extensions only ) - an even stricter limitation: specify the types of files our user can recover using commas.
- If our user is the Exchange server administrator, and we want to allow him to restore objects from mailboxes (that is, letters, tasks, or calendar), then we select Microsoft Exchange items
- If the user is the SQL database administrator, and we allow him to restore the databases to the point in time he needs, then we select Microsoft SQL Server databases . Here you can impose an additional restriction by specifying that the user is not allowed to restore to production, which could overwrite the current data with data from the backup ( Deny in-place database restores (safer) ).
All these administrators will see the backups of their applications and will be able to restore the necessary objects by opening the Items tab in Enterprise Manager. In more detail, the recovery processes for these applications are described in the " Backup and Restore of Application Items " user's manual.
Finally, click OK , saving the settings.
It should be borne in mind that the "scope" is updated automatically once a day, as well as after any editing of rights according to the described procedure.
- If the user after login does not see the machines that you have allowed him to restore, he should click on the link I update my VMs to refresh the data in the view.
- Admin rights can update the “scope” view manually at once for all roles that are configured in Enterprise Manager — to do this, open the Configuration view, select Roles on the left and click the Rebuild roles button.
This completes the role setup procedure.
What else to read
Source: https://habr.com/ru/post/283024/
All Articles