What is the four-eyes principle? The “four-eyes principle” (also know as the two-person rule) means that a certain crucial and critical activity (prone to human errors) must be approved by at least two people. This controlling mechanism is used to facilitate delegation of authority and increase transparency but also minimize errors or security attacks.
In Veeam Backup & Replication, starting with v12, is possible enable the Four-Eyes Authorization feature to protect some crucial operations.
Note: Before you enable the feature, make sure that you have at least two users (added to a user group or separate ones) with the Veeam Backup Administrator or Veeam Security Administrator role assigned.
To enable four-eyes authorization, perform the following steps:
- Make sure that you have at least two users (added to a user group or separate ones) with the Veeam Backup Administrator or Veeam Security Administrator role assigned.
- From the main menu, select Users and Roles > Authorization.
- Select the Require additional approval for sensitive operations check box.
- Specify the time period during which the requested operation must be approved/rejected manually otherwise will be rejected automatically (minimum 1 day, maximum — 30).
Note: to disable four-eyes authorization, you will also need an additional approval from another backup or security administrator!
Now if you try to perform a sensitive operations, like delete a backup you will notice this message:
To approve the request, the user must have the Veeam Backup Administrator or Veeam Security Administrator role.
Other Veeam administrators can see (and approve or reject) the request in the Veeam console:
When enabled, four-eyes authorization is required to perform the following operations:
- Delete backup files or snapshots from the disk or configuration database.
- Delete information about unavailable backups from the configuration database.
- Remove backup repositories and storage from the backup infrastructure.
- Add, update and delete users or user groups.
- Enable and disable multi-factor authentication (MFA) for all users and user groups.
- Reset MFA for a specific user.
- Enable, update and disable automatic logoff for all users and user groups.
- Perform operations in the Veeam Cloud Connect infrastructure:
- [For service providers] Remove cloud repositories and delete imported tenant backup files. Tenant backup files stored in Veeam Cloud Connect repositories cannot be deleted by service providers.
- [For tenants] Remove service providers and delete backup files.
Note that delete a job (but not the backup data) is an operation that does not require the four-eyes authorization, because the backup data are still there (as orphaned, but still available).
Is it enough secure? Actually in my opinion there is a big issues: in the Veeam Backup Server all local Administrators are ALSO Veeam Administrator and you cannot reject them. This mean that one guy with local Windows Admin privileges on the Veeam Backup is able to build new Windows users (also local) and put them in the Administrators group. And use them to approve the operation.
Of course, you can separate the Veeam Console and never use a Windows Admins as a Veeam Admins.
But I hope that will be much more better in v13, when Veeam Backup Server will run also on Linux!