Minimum permissions for users for file restore

A

alietz

New Member
Proxmox Subscriber
Nov 29, 2024
3
1
3
Hi,
we are currently using Veeam, and I am testing Proxmox Backup Server after having migrated from VMware to PVE. Once in a while, I get a request from a user to restore a file on a Windows fileserver that was lost or overwritten by accident. I really like PBS's file restore feature, and ideally I would like to enable my users to restore the files themselves.

What are the minimum roles that I would need to assign to a PVE user so they can only restore files from a certain VM? And is it possible to limit the file restore to only certain partitions of a VM (they don't need to restore files from the C: drive, normally...)?

Cheers,
Andreas Lietz
 
the user needs Datastore.AllocateSpace on the storage where the backup is, and VM.Backup on the VMID.
 
alietz said:
I would like to enable my users to restore the files themselves.
Click to expand...
Be careful: that would allow a user to download any file from the VM, including sensitive information that normally is protected by the OS and it's permissions, not to mention the ability to see the retention policy of backups which can be used in an ATP attack to increase the potential damage.
 
  • Like
Reactions: Johannes S
VictorSTS, thanks for pointing this out. I've come to the conclusion that though it's great that it's possible for the admin to restore files via PBS, it makes more sense for my use case (restoring accidentally deleted files) to use shadow copies etc. on Windows. Then a user can only retrieve what the OS allows for that user.
 
  • Like
Reactions: Johannes S
alietz said:
Thanks fabian, I tested that and it seems to me that that user also needs Datastore.Audit to even see the backup datastore. Then it works great!

Cheers,
Andreas
Click to expand...
ah yeah, though that is likely just on the UI level.

but yes, you should definitely only hand out file-restore access to users that have full access to the corresponding guest already!
 
  • Like
Reactions: Johannes S
You must log in or register to reply here.
Top Bottom