Skip to main content

INTRODUCTION

 

Hello everyone, as you know the new version of Veeam released the past few days is full of new features.

In this post I would like to go into more detail about the two new roles added for VBR management: Incident API Operator role and Security Administrator role.

 

INCIDENT API OPERATOR ROLE

 

Following the least privilege principle, this new role does not have access to the VBR console, but it can interact only with Veeam Incident API REST endpoint and manage malware detection events.

MFA is not supported for this role (it is considered like a service account) and it is disabled by default.

 

For example, if you create an event from the embedded swagger you can see that it will be registered in the VBR console:

 

SECURITY ADMINISTRATOR ROLE

 

This new role is designed for security teams, considering that it enables the user to perform operations on credentials (add, edit and delete), manage Security & Compliance Analyzer (run a security check, configure scan scheduling, exclude parameters from the checklist) and approve four-eyes authorization requests.

 

The ability to delegate more sensitive operations to dedicated teams ensures compliance, especially for companies that must meet certain standards.

 

Unlike the previous role, this one has access to the VBR console with the ability to perform the indicated operations. In addition, it has viewing permissions on most of the objects inside, while some settings are directly disallowed.

CONCLUSION

 

The introduction of these two new roles provides additional opportunities to apply the principles of least privilege, and meets the increasingly stringent security and zero-trust regulations.

With the next versions of Veeam maybe there will be a complete separation of the roles of Security and Backup Administrator, and hopefully more sensitive operations will be added under the umbrella of four eyes authentication.

 

REFERENCES

 

REST API Reference: https://helpcenter.veeam.com/docs/backup/vbr_rest/reference/vbr-rest-v1-1-rev2.html?ver=120#tag/Malware-Detection

User Guide Reference: https://helpcenter.veeam.com/docs/backup/vsphere/configuring_users.html?ver=120

Enjoy! 💚

Since I’ve been on vacay the past week, haven’t dived into the changes for the new VBR vers yet. Nice to see additional Roles added to provide greater access separation to various VBR features/components enhancing security. Thanks for sharing Marco.


I have been checking these new roles as it will help our security team for sure. Continuing improved security is always good.


I’m sending this to our security team. Additional roles with minimal access is something we are constantly implementing.  We have come a long way as some of the users here remember using Guest/Guest and shared accounts for everything. 🤣


Comment