I know theres immutable backups but i dont have that repo right now. How can i prevent admins from them inadvertently in 2 clicks delete an entire decade worth of backups ?
Question
prevent admins from deleting backups
+23From Veeam: change their roles so they’re not backup administrators and also enable four eyes for good measure.
You should also not give them any access to the backup repos if they don’t need it, and limited permissions where they do that don’t include any full control type permissions on the disk used as a repository.
Michael Paul - Opinions are my own and do not necessarily reflect the opinion of Veeam | https://micoolpaul.com | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.com
+22side note make sure you have added some other admins before turning on four eyes :). I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems.
VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS
+4VBR 12.1 introduced Four Eyes Authentication which will help you with your concern of a rogue admin deleting backups.
Twitter @sfirmes | Email: steve.firmes@veeam.com
+8As everyone else noted here, Four Eyes is the way to go. That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.
Derek M. Loseke, Senior Systems Engineer | Veeam Vanguard 2025 | Veeam Legend 2022-2024 | VMSP/VMTSP | VCP6-DCV | VSP/VTSP | CCNA | https://technotesanddadjokes.com | @dloseke
+4As everyone else noted here, Four Eyes is the way to go. That said, you’ll want to make sure that nobody has access to the back-end storage as well to where the actual backup files can be deleted behind the scenes.
You are correct that the data needs to be protected as well. That is why you should use immutability via hardened Linux repositories and/or S3 object lock. Immutability + four eyes authentication will help protect the data from the rogue administrator.
Twitter @sfirmes | Email: steve.firmes@veeam.com
+21side note make sure you have added some other admins before turning on four eyes :). I have heard of a few Veeam cases already when Admins turned this on but only had 2 eyes in their systems.
Yes, you MUST do this and have at least 2 admins before turning this on. Otherwise, nothing you do will be applied with only one administrator.
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | VUG Canada Leader | vExpert 6* | Toronto VMUG Leader | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.
+11I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.
You must remove the veeam server from the domain.
create a Local Administrator with stron passphrase and create users with RBAC role on O.S. Windows side. and then assign Veeam roles.
In addition if you have repository backups on Windows you need (as per best practice) to limit permissions on the volume of repository backups to only one veeam administrator user performing backups.
This way you can limit possible erroneous deletion.
Regards.
Veeam: VMCA | VMCE | VMXP | Veeam Legend - Microsoft: MCITP | MCP | MCSA | 2008 R2 | 2012R2 | 2016 | MCSE Core Infrastructure | MCSE Cloud Platform - Azure: AZ900 | AZ104| AZ500|AZ305 - AWS Cloud Practitioner - VMWare: VCP-DCV Vsphere 7.x - Cisco: CCNA (Expired)
+10I am not seeing the 4 eyes authorization tab in my user role options. Upon checking the feature is only in the latest Veeam 12.1 release which I do not have. Unfortunately since the rest of admins are all domain admins, so they have full access and its not possible to restrict them in Veeam.
You need to upgrade to the latest for 4 eyes.
It’s not really common to have Veeam on the domain. I don’t have any of my Veeam infrastructure domain joined. Create a separate VLAN, Non domain joined, and local accounts. Depending on peoples roles having ALL admins as domain admins my not be ideal either, but that depends on your organization. Granular permissions can be created for doing things with AD, users, groups, computers that don’t require DA access.
+64 eyes for sure,
Demonstration of Four-Eyes Authorization | Veeam Community Resource Hub
However, as colleagues warned, it is necessary to upgrade to v12.1. The functionality is very simple to implement and use - another layer of protection in the environment.
+21Hi
I am just following up on your post to see if one of the comments made answered your question? If so, please select one as a ‘Best Answer’ so others may benefit from your post. Please let us know if you have further quesitons.
Thank you.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.