Veeam v13: RBAC and Multi-Tenant Configuration
In This Article
- What Changed in v13: RBAC Overview
- Built-in Roles Reference
- Custom Roles: How They Work
- Walking Through the Custom Role Wizard
- SAML SSO: Connecting an Identity Provider
- Configuring Entra ID (Azure AD) as Identity Provider
- MFA and the Security Officer Role
- Multi-Tenant Configuration Patterns
- Enterprise Manager RBAC vs VBR RBAC
- RBAC Implementation Checklist
- Key Takeaways
Veeam Backup and Replication has had role-based access control since its early versions, but the system was constrained: a small set of predefined roles with no scope control, no way to limit a user to specific workloads or repositories, and no integration with external identity providers. In practice this meant that anyone who needed to run restore operations got full Restore Operator access to everything -- not just the VMs they were responsible for.
v13 changes this significantly. Custom roles with workload-level, repository-level, and restore-type-level granularity are now available. SAML 2.0 integration with identity providers including Microsoft Entra ID (Azure AD) and Okta is built into the core product across all license tiers. The VBR console adapts dynamically to what a user can see -- a user scoped to three VMs and one repository sees only those objects in the console tree, nothing else. The Security Officer role, which controls critical infrastructure operations, is available on both the Windows installation and the Linux Software Appliance.
This article covers the complete RBAC setup: built-in roles, how custom roles work, the wizard walkthrough, SAML SSO configuration with Entra ID, MFA enforcement, and multi-tenant patterns for MSPs and enterprise teams.
1. What Changed in v13: RBAC Overview
| Capability | v12 and Earlier | v13 |
|---|---|---|
| Role definitions | 5 predefined roles, no customization | 5 predefined roles + unlimited custom roles with granular permission selection |
| Scope control | None -- all roles had access to the full environment | Scoped to specific workloads, repositories, and restore targets per role |
| Console view | All users see the full console tree | Console adapts dynamically -- users see only what their role allows |
| Authentication | Windows/AD accounts only. Local accounts on VSA require Host Management setup. | Windows/AD accounts + SAML 2.0 SSO with any compliant identity provider |
| MFA | TOTP-based per-user MFA available but separate from corporate IdP | TOTP MFA still available; SSO enables IdP-managed MFA/conditional access policies |
| Role assignment | One role per user | Multiple roles can be assigned to the same user (custom roles only -- cannot mix built-in and custom) |
2. Built-in Roles Reference
The five built-in roles are unchanged from prior versions. They remain global in scope -- no workload or repository restrictions apply. These are appropriate for small teams where all operators need full environment access, or for the backup administrator accounts that manage the infrastructure.
- All operations across the entire environment
- User and role management
- Infrastructure configuration
- Assigned to Administrators group by default
- The Veeam Backup Service account must have this role
- Create, edit, and run backup jobs
- Start and stop jobs
- View backup history
- Cannot perform restore operations
- Cannot manage users or roles
- All restore types: VM, file-level, application-item, instant recovery
- Cannot create or modify backup jobs
- Cannot manage infrastructure
- Cannot manage users or roles
- Manage tape devices and libraries
- Create and run tape backup jobs
- Restore from tape
- Cannot manage disk backup jobs
- Cannot manage users or roles
- View console, jobs, backups, and job history
- Cannot run any operations
- Useful for compliance auditors and management oversight
- Multiple built-in roles can be assigned to one user
- A user can have both Backup Operator and Restore Operator roles
- You cannot assign a user both a built-in role and a custom role -- use only one model per user
3. Custom Roles: How They Work
Custom roles are built from a permission template (Backup Operator, Restore Operator, or both) combined with three scope dimensions that restrict what the role can act on:
| Scope Dimension | Options | Notes |
|---|---|---|
| Object (Backup) Scope | Entire inventory, or specific workloads: VM folders, datastores, VM tags, individual VMs, Hyper-V clusters/hosts/VMs, agent computers or groups | Defines what the user can back up and what they see in the backup tree. Users outside this scope see nothing for those objects. |
| Repository Scope | All repositories, or specific repositories by name | Defines which repositories the user can target for new backup jobs and which backups they can browse. |
| Restore Scope | All backups, or only backups created by this user. All restore points, or only the most recent. All restore types, or selected restore types. Any restore target, or restricted to specific targets. | The most granular dimension. Individual restore types can be enabled/disabled: Entire VM Restore, Instant VM Recovery, Disk Restore, Guest File Restore, Application-Item Restore, Move Backup, Scan Backup, etc. |
The result is a user who sees only what their role permits. If scoped to a specific folder in vCenter, the backup tree shows only VMs in that folder. If scoped to one repository, only that repository appears when creating jobs. If the restore type is limited to Guest File Restore only, the right-click menu on backups shows only file-level restore options -- all other restore types are absent.
4. Walking Through the Custom Role Wizard
In the Veeam Backup and Replication console (thick client -- the Web UI does not support custom role creation in v13.0.1): Menu > Users and Roles > Roles tab > Add.
Enter a role name and optional description. Select the global permission template: Backup Operator, Restore Operator, or both. If you select both, the role grants backup creation and restore capability -- useful for reducing the number of roles assigned to operators who do both.
Choose: Entire Inventory (no restriction) or Only Selected Objects. If selected: expand the infrastructure tree and tick specific folders, datastores, VM tags, individual VMs, Hyper-V clusters, or agent groups. For MSP environments: create one custom role per customer, scoped to that customer's dedicated folder or tag.
Choose: All Repositories or Only Selected Repositories. Select specific repositories from the list. For MSP: scope each customer role to that customer's dedicated repository. This prevents a customer operator from accidentally targeting (or accessing backups on) another customer's storage.
This step only appears if the role includes Restore Operator permissions. Choose which backups can be restored: All Backups in Scope, or Only Backups Created by this User. Choose which restore points: All Restore Points, or Only the Most Recent. Then choose restore types -- click Choose to get the full list and enable only what this role requires. Finally choose restore targets: Any Infrastructure Target, or Restrict to Defined Targets.
Review the role summary. Click Finish. The role is now available for assignment in Users and Roles > Users tab.
Users tab > Add. Enter the user account (local, domain, or SAML-federated). Select the custom role. Save. The user's console session will reflect the scoped view on next login.
Available Restore Types for Scoping
| Restore Type | Notes |
|---|---|
| Restore Entire VM (to hypervisor) | Full VM restore to production infrastructure |
| Instant VM Recovery (to hypervisor) | Start VM directly from backup. Highly privileged -- typically admin-only. |
| Restore VM Disks | Disk-level restore without restoring the full VM configuration |
| Guest OS File Restore | File-level restore into the guest OS. Appropriate for end users or helpdesk roles. |
| Application Item Restore (Exchange, SQL, AD, etc.) | Veeam Explorer-based item-level restores. Scope this to application DBA or Exchange admin roles. |
| Move Backup | Move backup files between repositories. Infrastructure-admin task. |
| Scan Backup (A/V and YARA scans) | Run malware scans against backup content. Security team function. |
| Instant Recovery to Cloud | Recovery to Azure or other cloud targets. May be separately controlled for cost containment. |
5. SAML SSO: Connecting an Identity Provider
SSO via SAML 2.0 allows users to authenticate against your corporate identity provider -- Entra ID, Okta, AD FS, or any SAML 2.0-compliant IdP -- instead of local or domain accounts. This enables your existing MFA policies, conditional access rules, and automated account provisioning to apply to Veeam access.
SSO is configured in the thick Windows client only in v13.0.1 -- it is not yet configurable via the Web UI. Once configured, SSO applies to both the thick client and the Web UI for authentication.
High-Level SSO Flow
| Step | Where | What Happens |
|---|---|---|
| 1 | VBR Console | Enable SAML, configure Service Provider certificate, download SP metadata XML |
| 2 | Identity Provider (Entra ID, Okta, etc.) | Create enterprise application, upload SP metadata, configure attribute mapping, assign users |
| 3 | VBR Console | Upload IdP metadata XML to complete federation |
| 4 | VBR Console | Add federated users/groups to Users and Roles and assign built-in or custom roles |
6. Configuring Entra ID (Azure AD) as Identity Provider
Open the thick client. Menu > Users and Roles > Identity Provider tab. Check Enable SAML. Click Install Certificate. Select the VBR server certificate from the store (the one named "Veeam Backup Server Certificate" is the correct choice). Under Service Provider Information, click Download SP Metadata to download the XML file that describes your VBR server to Entra ID.
In the Azure portal: Entra ID > Enterprise Applications > New Application > Create Your Own Application. Name it (e.g. "Veeam Backup"). Select "Integrate any other application you don't find in the gallery." In the app's Single Sign-On section, select SAML. Upload the SP metadata XML downloaded from VBR. Entra ID populates the Entity ID, Reply URL, and certificate fields automatically from the metadata.
In the SAML app's Attributes and Claims section, ensure the user identifier claim is configured. The default UPN claim is typically sufficient for Veeam's username matching. If you intend to assign Veeam roles via group claims, configure the Groups claim and note the group object IDs you will use.
In Entra ID: Enterprise Application > Users and Groups > Add User/Group. Assign the users or groups who will have Veeam access. This is mandatory -- users not assigned to the app in Entra ID will receive an authentication error even if they exist in Veeam's Users and Roles.
In Entra ID: SAML app > SAML Signing Certificate > Federation Metadata XML > Download. Back in VBR: Users and Roles > Identity Provider tab > Upload IdP Metadata. Import the XML file. Save. SAML is now configured.
In VBR console: Users and Roles > Users tab > Add. Enter the user's UPN (e.g. user@domain.com) as it appears in the SAML assertion. Assign the appropriate built-in or custom role. The user can now log in using SSO.
7. MFA and the Security Officer Role
Multi-Factor Authentication
Veeam's built-in MFA uses TOTP (Time-Based One-Time Password) -- compatible with Microsoft Authenticator, Google Authenticator, and similar apps. Enable it in the console: Configuration > General Options > Security tab > Enable multi-factor authentication. Once enabled, all users -- including built-in Administrator accounts -- must enroll on next login.
If you are using SAML SSO with an IdP that enforces MFA (which is the recommended approach), you do not need Veeam's built-in TOTP MFA for SSO users. The IdP's MFA policy applies during authentication before the SAML assertion reaches Veeam. For local accounts that are not using SSO (such as the Security Officer account on the VSA), Veeam's built-in TOTP MFA should be enabled.
The Security Officer Role
The Security Officer is a special administrative role on the Veeam Software Appliance (Linux). It is distinct from VBR's backup administrator accounts and is configured in the Host Management Console, not the backup console. The Security Officer's function is to approve critical infrastructure operations that could undermine backup integrity or security:
| Operation Requiring Security Officer Approval |
|---|
| Adding new components to the backup infrastructure (proxies, repositories) |
| Approving Data Collection connection requests from Veeam ONE |
| Approving immutability configuration changes on hardened repositories |
| Enabling Lockdown Mode (prevents any infrastructure changes without SO approval) |
| Approving new certificates and trusted connections |
The Security Officer account exists specifically to enforce separation of duties: the backup administrator who runs day-to-day operations cannot single-handedly remove immutability settings or add unauthorized storage targets without the Security Officer also approving the change. This maps directly to immutability and anti-tampering compliance requirements in frameworks like NIST CSF, ISO 27001 annex controls, and cyber insurance questionnaires.
8. Multi-Tenant Configuration Patterns
v13's custom roles with workload and repository scoping enable real multi-tenancy within a single VBR server for MSPs and enterprise environments with distinct organizational units. Three patterns cover the majority of use cases.
Create a dedicated vCenter folder or vSphere tag for each customer. Create a custom Restore Operator role scoped to that folder/tag, restricted to the customer's repository, with restore types limited to Guest File Restore and Entire VM Restore. Create a user account per customer (or federate via SSO if the customer has an IdP). Assign the scoped role. The customer logs in and sees only their VMs. They can self-service file restores without involving your team. They cannot see or touch any other customer's environment.
Enable "Allow VBR console to display analytics data" in Veeam ONE and scope the customer's Veeam ONE report access to their Business View group. Schedule a monthly Protected VMs report to the customer's contact -- this is your backup service report delivered automatically.
Create a Backup Operator + Restore Operator custom role scoped to the database servers folder and the database backup repository. Assign to the DBA team group (federated via Entra ID). DBAs can create and manage backup jobs for database servers, run Veeam Explorer for SQL restores, and browse their repository -- but have no visibility into other infrastructure.
Create a Restore Operator role scoped to the application team's VMs with Guest File Restore and Entire VM Restore enabled, restricted to production restore targets only (no cloud targets). The application team can perform restores without involving the backup team for routine recovery requests.
Use the built-in Veeam Backup Viewer role for auditor accounts. Viewers see the full console tree and job history but cannot run any operations. Federate via SSO so auditor accounts are controlled by IT's IdP -- access is revoked automatically when employment ends. Supplement with a scheduled weekly Backup SLA report and monthly License Usage report delivered by Veeam ONE to the audit team's inbox.
Veeam Cloud Connect vs. Direct RBAC for MSPs
For MSPs operating a Veeam Cloud Connect provider, tenant isolation is managed by Cloud Connect's tenant model -- each tenant has their own isolated backup repository and Cloud Connect enforces the boundary. The custom role RBAC described in this article applies to direct console access to VBR, which is appropriate for MSPs who are also managing their customers' on-premises Veeam infrastructure directly rather than through a Cloud Connect portal. The two models are not mutually exclusive.
9. Enterprise Manager RBAC vs VBR RBAC
Enterprise Manager has had its own RBAC system for years, independent of VBR's role system. Understanding the distinction matters for knowing which system to use for which purpose.
| Dimension | VBR RBAC (v13) | Enterprise Manager RBAC |
|---|---|---|
| Scope | Controls access to the VBR backup console and operations against the backup infrastructure | Controls access to the Enterprise Manager web portal for multi-server visibility and self-service restores |
| Roles available | 5 built-in + unlimited custom with granular scoping | 3 roles: Portal Administrator, Portal User, Restore Operator |
| Restore scope | Per-role object and type scoping in custom roles | Per-user restore scope configured in EM portal (specific servers, datastores, VM folders) |
| Multi-server visibility | Single VBR server only | Aggregated view across all VBR servers registered to EM |
| Password loss protection | Not available at VBR level | Enterprise Manager holds encryption key escrow for password-loss recovery |
| SSO | SAML 2.0 via identity providers -- new in v13 | Enterprise Manager has had SAML configuration for several versions |
| v13 recommendation | Primary RBAC layer for all environments. Use custom roles for granular control. | Use for multi-server aggregation, password loss protection, and Portal User self-service restores. Not required if single VBR server with Web UI is sufficient. |
10. RBAC Implementation Checklist
Use this checklist when implementing or auditing RBAC in a v13 environment.
| Item | Action |
|---|---|
| Administrator accounts use MFA or SSO with MFA | Enable Veeam TOTP MFA for local accounts; enforce IdP MFA policy for SSO accounts. No admin-level account should authenticate without a second factor. |
| Veeam Backup Service account is explicit, not group-based | Assign Veeam Backup Administrator role directly to the service account user, not just its group membership. This prevents accidental role changes when group membership changes. |
| No operator accounts have Backup Administrator role | Review Users and Roles and identify any human accounts assigned to Backup Administrator. Downgrade to appropriate scoped roles. Administrator should be reserved for the service account and a minimal number of named individuals. |
| Custom roles created for each distinct team or tenant | Backup team, restore operators, helpdesk (file restores only), DBA team, audit/viewer -- each with appropriate scope. |
| SAML SSO configured and tested | At minimum, configure SSO for administrator accounts. Test login as an SSO user before removing fallback local accounts. |
| Security Officer account is separate from Backup Administrator | On VSA deployments: ensure the Security Officer is a different person from the backup admin. Document who holds the Security Officer credentials and store them in a privileged access management (PAM) vault. |
| Console view verified for scoped users | Log in as each scoped user and confirm the console tree shows only permitted objects. Test that backup and restore operations outside the scope are unavailable. |
| Restore type restrictions tested | For roles with limited restore types, confirm that disallowed operations do not appear in the right-click menu or console ribbon. |
| Role assignments documented | Export the Users and Roles list to a reference document. Include role names, scope definitions, assigned users/groups, and review date. Review quarterly. |
Auditing Current Role Assignments via PowerShell
Key Takeaways
- v13 adds custom roles with three scope dimensions: object scope (specific VMs, folders, tags), repository scope, and restore scope (specific restore types and target restrictions). The five built-in roles remain for full-environment access.
- Custom roles and built-in roles cannot be mixed on the same user. A user assigned a custom role gets only what that custom role defines -- no residual built-in role permissions carry over.
- The VBR console adapts to scoped roles: a user scoped to three VMs sees only those VMs in the console tree. Disallowed operations disappear from menus and ribbons.
- SAML 2.0 SSO is available across all edition tiers -- it is not gated to Advanced or Premium. Configure it early. The practical security benefit is centralized lifecycle management: disabling a user in Entra ID or Okta revokes all Veeam access immediately.
- SSO is configured in the thick Windows client (not yet in Web UI). The "Veeam Backup Server Certificate" is the correct SP certificate to select. Forgetting to assign the user to the Enterprise Application in Entra ID is the most common configuration failure.
- The Security Officer role on the Veeam Software Appliance (VSA) enforces separation of duties for critical infrastructure operations: no single administrator can remove immutability settings or add unauthorized storage without SO approval.
- For MSPs: create one custom role per customer scoped to their folder/tag and repository. Customers see only their own environment. Supplement with Veeam ONE Business View scoping for per-customer report delivery.
- Enterprise Manager RBAC remains relevant for multi-server aggregation and encryption key escrow. For single-server environments with the new Web UI, EM is no longer required for basic RBAC and self-service access.
- Audit role assignments quarterly. Use PowerShell (Get-VBRUserRoleAssignment) to export current assignments to CSV for review.