I shared with the Community last week how to configure Veeam HA in the new VDP v13 BETA Preview. If you'd like to see those posts, here is Part 1 and Part 2.

I want to switch gears a bit and now take a look at Veeam's new ability to create Custom Roles in the Remote Console. Before diving into this topic, as with my other posts…let me share a few disclaimers:

> As is stated in my blog title, the build I'm using is a VDP v13 BETA build. Buttons, topics, functionality, feature location, role types, etc may change when this version reaches GA

> Because of the above, how I show you how to configure custom roles now may be a little different in the GA version

With those out of the way, let’s now configure a couple custom roles.

Introduction

Before showing you how to configure custom roles, let me go over a few talking points about roles in the new VDP v13. In this new version there is a newly added Security Officer role. This is not a role configurable in the Web UI or Remote Console (RC). It's a role in the Host Management UI (for Linux & Linux software appliance installs) used to approve the ability to enable certain management functions, such as Veeam HA. Additionally, this account is different than the Security Administrator default role in the RC. The Security Admin is used for tasks such as credentials checks and Four-Eyes Authorizations in the RC.

Create Users

First, let's create a couple Users to assign our custom roles to. You may be surprised by this, but when using Linux-based Veeam installs, Users are actually created in the Host Management (HM) UI, not in the RC. I'll show you how to do so below. Log into the HM UI,  https://IPorHostnameOfVBR:10443 > Users and Roles > + Add:

Take note, when you use these new Users to assign Roles to in the RC, you won't see them display from a drop-down menu to select from. As such, you'll need to remember how you spelled their username or you'll receive the following error when assigning a User to a Role:

After the local Linux users are created in the HM UI, you have the ability to then configure various HM User settings. Select the User and click the Settings drop-down to configure User settings such as Enable MFA, Change Password, Unlock User, etc.

Create Backup Custom Role

With the Users created, we need to now create custom roles to assign to these new Users. If a given default Veeam Role is sufficient, you can assign one of those as well. For the purposes of this post in discussing custom roles, we'll create a couple new custom roles.

Log into the RC and click the "hamburger menu" in the upper left > select Users and Roles, then choose the Roles tab:

Click the Add link to begin creating a custom role for the backup1 User we created above. I recommend providing the custom role a name conducive to the function you're giving the role. I also recommend providing an intuitive Description for the new Role so there's no confusion what the custom role is used for, as I've done below:

The next screen, Data Source Scope, is where we configure what we want this custom role to be able to explicitly do → backup only Site1 workloads. To do this, first select the Only Selected Data Sources option, then click the Add link > Virtualization > VMware vSphere (or other supported hypervisor option listed). From the displayed window, you can configure the workloads this new Role can backup. For this post, I want to choose workloads based on Site1, so for me, I'll click the "Datastores and VMs" icon and select DC1:

On the Repository Scope window, you can also select to scope where this custom role can place its backups. In my opinion, it would also make sense to also scope those backups to only be placed at Site1, so selecting the Only Selected Backup Repositories option and choosing desired Repositories would be advisable. For me and this test user, I will just leave the All Repositories option selected, click Next then Finish to complete creating the new custom role.

Now all we need to do is add the custom role to our backup1 User. Go back to the Security tab and click the Add link. Make sure Linux User is the Type selected, then type the username of your new backup User you created in the HM UI, and select your custom role from the drop-down menu, then click OK. Remember, if you mistype your HM User username, you'll get the error above.

Create Restore Custom Role

I won't go through the detailed process of creating the restore custom role as I did above because it's mostly the same. But I will share a couple screenshots and discuss the Restore Operator options as I think it's worth covering due to the granularity you can get with creating restore custom roles. First, create the restore1 User in the HM UI as we did the backup1 User. Then, create a custom role for restores, selecting the desired restore scope settings.

I didn't mention this when creating the custom backup role above, but notice when creating the role and selecting a global permission, Backup Operator or Restore Operator, you do have the ability to select both options for the role. This is beneficial of course if you want to give a user both Backup and Restore permissions and just want to assign the user 1 role instead of 2 custom roles. NOTE: you cannot assign a user both a built-in role and a custom role.

Let's take a look at the Restore Permissions screen. You can configure a slew of restore boundaries here!

If we want the restore user to be able to restore only those backups created in Site1, then under the Objects Scope we click the Choose link, select the Only Backup Sources option, then click the Add link and choose the backups the new backup user created, or any backups created in Site1.

If you didn't think the Object Scope was granular, then you should certainly agree how granular you can get with what restore types you can assign to a role (and thus to a User) with the Restore Options setting. Click the Choose link here and then Only Selected Restore Options. From here you can choose which restores a role can do, for example Restore Entire VM to <hypervisor>, Instant VM Recovery to <hypervisor>, Restore Guest Files, or more "administrative" restore options such as to Move Backup, or Scan Backup (i.e. perform A/V or Yara Scans). There's so many options to choose from (if you don't want to give all permissions to a user), I couldn't get a screenshot of all the listed options you can select! 

For those organizations with a decent sized Infrastructure Backup team, the Backup Admin can distribute the BC/DR load by creating granular roles and assigning to users without giving those users the "keys to the car" as it were.

The last permission you can choose is where the restore user can restore workloads to → any target in the Infrastructure or only to certain targets. If you select the Restore To a Defined Infrastructure option, you're then presented with a Data Target Scope screen to choose what targets the role (User) can restore to:

Select where you want the role to be able to restore to, then click Next, then Finish to complete creating the custom role. The last task to do is to assign the restore1 User the new restore custom role as we did for the backup user above. And that's all there is to it.

As you can see, Veeam will be providing the ability to get quite granular with RBAC in its upcoming release. You'll have the ability to create custom roles and assign them to users, or just go with assigning default Roles to users. The choice is up to you. What do you think of this new ability? Share your comments below.