Access Management
Overview
VNG Cloud is committed to protecting the infrastructure of VNG Cloud services, especially data storage services. Access control is one of the top priorities, including the use of Veeam software for data backup.
Access control is a crucial aspect of security aimed at determining who and under what conditions can access the software and perform backup or recovery operations.
In addition to user-based access control that allows software usage, Veeam also ensures the security of backup and data recovery actions with a Four-Eyes Authorization mechanism. This article will describe user access rights and four-eyes authentication below.
Access Rights
The access control policy based on Veeam's regulations with different roles is designed to manage user access and rights to various system features. Here is the definition and comparison of roles:
1
Veeam Backup Administrator
Allows for the execution of all administrative operations within Veeam Backup & Replication. Note that this role has full access to all files on the servers and hosts added to the backup infrastructure.
2
Veeam Restore Operator
Allows for the execution of recovery operations using existing backups and replicas. However, this role cannot migrate a restored VM back into the production environment during Instant Recovery.
Consider the following:
This role can restore data from any backup. This enables them to restore disks and files that may contain malicious content created specifically. This opens the possibility for insider attacks, including but not limited to privilege escalation leading to the takeover of the entire system. Due to this capability, this role should be considered as sensitive as Veeam Backup Administrators.
During the recovery process, this role can overwrite existing versions: virtual machines during VM recovery, disks during disk recovery, and files during file-level recovery.
3
Veeam Backup Operator
Can start and stop existing jobs, export backups, copy backup copies, and create VeeamZip backups.
4
Veeam Backup Viewer
Only has read-only access to Veeam Backup & Replication. Can view the list of existing jobs and view details of job sessions.
5
Veeam Tape Operator
Can manage tapes and perform the following operations: rescan library/server, eject tape, export tape, import tape, mark tape as free, move tape to media pool, erase tape, catalog tape, inventory tape, set tape password, copy tape, verify tape, start and stop tape backup jobs.
You can assign multiple roles to the same user. For example, if a user needs the ability to start jobs and perform recovery operations, you can assign the roles of Veeam Backup Operator and Veeam Restore Operator to this user.
To manage access permissions and for instructions on adding users, please refer to the following official Veeam documentation: https://helpcenter.veeam.com/docs/backup/vsphere/configuring_users.html?ver=120
Four Eyes Authorization
You can activate this function to reduce the risk of accidental actions affecting sensitive stored data. This function uses an additional control mechanism that requires further approval from another user with the Veeam Backup Administrator role for specific operations in Veeam.
Before activating this function, ensure that there are at least two users assigned the role of Veeam Backup Administrator.
To activate and review the operations of the Veeam Backup Administrator role, please refer to the following official Veeam documentation: https://helpcenter.veeam.com/docs/backup/vsphere/four_eyes_authorization.html?ver=120
Last updated