Hi everyone!!  Some months ago Veeam has released Veeam Backup & Replication 12.1, and one of the new features available is four-eyes authorization.  Four-eyes authorization is a new security mechanism that requires additional approval to certain operations in Veeam Backup & Replication given by another user with enough privileges in the Veeam Backup & Replication console.

Four-Eyes Authorization protects you from malicious or accidental actions inside of Veeam, reducing the risk of actions affecting sensitive data by requiring two users to approve certain operation.  Four-eyes authorization is supported for the following operations:

  • Delete backup files or snapshots from the disk or configuration database.
  • Delete information about unavailable backups from the configuration database.
  • Remove backup repositories, storage, and service providers from the backup infrastructure.
  • Perform operations in the Files view:
    • Edit, rename and delete files
    • Overwrite files
    • Rename and delete folders
  • Add, update and delete users or user groups.
  • Enable and disable multi-factor authentication (MFA) for all users and user groups.
  • Reset MFA for a specific user.
  • Enable, update and disable automatic logoff for all users and user groups.

 

IMPORTANT:  Please consider that four-eyes authorization cannot protect the backup infrastructure if the Veeam Backup server is compromised or if the backup data is deleted or compromised directly in the file system.  In order to be protected against this kind of threads please consider the use of Immutability for your backup repositories.

Requirements

To enable Four-Eyes Authorization, please consider the following requiremens and limitations:

  • Veeam Universal License or the Enterprise Plus edition. is required.
  • If four-eyes authorization is enabled, you cannot perform delete operations using PowerShell cmdlets, REST API, and Veeam Backup Enterprise Manager.  This feature is design specifically for the Veeam Backup & Replication console.
  • Immutable backup files cannot be deleted even with the four-eyes authorization enabled.
  • Make sure that you have at least two users with the Veeam Backup Administrator role assigned.

Enabling Four-Eyes Authoairzation

  • From the main menu, click in Users and Roles

  • Go to the Authorization tab.
  • Click in the  Require additional approval for sensitive operations check box.
  • You can also specify the maximum time period a request can wait for approval or rejection (7 days by default).  After that time, any pending request is rejected by default.
  • Click OK to confirm the changes.

NOTE:  In case you want to disable four-eyes authorization, you will also need an additional approval from another backup administrator.  In that case, you will get a message like this:

Testing Four-Eyes Authorization

Now that we have enabled this feature, we can test it with the most common use case: Manually deleting backup data.

  • Go to Home > Backups > Disk
  • Right Click in the restore point you want to delete and click in Delete from Disk.

  • You will get a message saying that this action must be apporved by abother backup administrator, and until then the operations will be pending.  This is basically Four Eyes Authorization in action.

  • You can see also that there is a new operation in the Pending Approval section.  You can see that the operation was started by the user HOMELAB\Administrator.

  • The next step will be asking for approval to another Backup Administrator.  For this example, I’ll connect to Veeam console with the user HOMELAB\veeam.

  • Now, connected as a different backup administrator, you can go to the Pending Approval section again.  In this point you can reject or approve the request.

  • For this example I’ll approve the request.   You will get a pop-up window to ask you again if you are sure about approving the request, and you can see the operations to be started in case of approval, in this case the deletion of some NAS Backups.

  • And that’s it!  Now you can see the progress of the approved operation.

To view events related to four-eyes authorization, open the History view and select the Authorization Events node.  From here you can see all the requests and operations related to Four Eyes Authorization.