Hi @tedew -
I was able to find documentation for variou user roles online. Go to the documentation of IBM Flashsystem Spectra Virtualize to review system roles from the link below:
https://www.ibm.com/docs/en/spectrumvirtualsoftw/8.3.x?topic=overview-user-roles
I don’t use this type of storage, so I can’t answer for sure what you need to use with Veeam. I do see this system is supported:
https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?zoom_highlight=storage+integration&ver=120#ibm-flashsystem--formerly-spectrum-virtualize--includes-ibm-storwize-and-ibm-svc-
...but Veeam doesn’t provide account privileges required; they don’t for any Storage System.
And to confirm Veeam doesn’t state what access to IBM to use, here are a couple other links to Veeam’s Storage Integration Guide regarding IBM storage:
Adding IBM: https://helpcenter.veeam.com/docs/backup/storage/ibm_add_launch.html?ver=120
IBM Limitations to be aware of: https://helpcenter.veeam.com/docs/backup/storage/storage_limitations_ibm.html?ver=120
Hope all the info shared helps.
Don’t use superuser
Next, I assume you are adding the SAN for storage snapshots?
If so, create a new account on the SAN for Veeam. - it might need Admin as it is dealing with storage snapshots (if you are using those) creating and deleting volumes etc.
Next, create strong passwords for the new Veeam account and make sure the SuperUser account has the password changed and is strong. print those out and store them in a safe and not in a text file or password vault.
After speaking to some industry insiders, I know of a high profile ransomware case recently where the bad actors went in, and managed to SSH into the SAN for Veeam. They deleted all of the volumes and pool then restarted the SAN.
Even if you have immutability turn on in Veeam, strong passwords, MFA, and more, it won’t protect from that.
Often the point of entrance is a phishing attempt or security vulnerability. If they gain access to your workstation, or someone who leaves a password manager open, you are no better off. Having printed out copies of a password in a safe is the way to go as a break glass account for the SAN SuperUser and Veeam account.
Don’t even add other accounts on that SAN, unless you are looking for a monitoring account for Storage Insights or some other type of monitoring system. those are Read Only.