topic Create custom Role for Veeam backup integration in ONTAP Discussions

Create custom Role for Veeam backup integration

TroyPayne — Wed, 04 Jun 2025 09:51:23 GMT

I want to backup my SMB/CIFS share on my FAS2750.

Need to add the filer as a storage object in Veeam 11.

Authentication fails when adding the filer into Veeam using a local user assigned the built in NetApp role called "backup".

I can successfully add the filer into Veeam if I specify the filer admin account. I don't want to use the admin account.

I opened a support case with Veeam and they said I need to specify additional permissions per this guide.

https://helpcenter.veeam.com/archive/backup/110/vsphere/required_permissions.html#netapp-data-ontap-lenovo-thinksystem-dm-permissions

The section titled CDOT (NAS Backup Integration) The specified permissions are not found in OnTap 9.12.1

For example need to grant DEFAULT the "readonly" permission.

DEFAULT is not available. Merely a long list of /api/blahblahblah

Yet there it is. Plain as day on the admin role.

What am I missing?

Re: Create custom Role for Veeam backup integration

Ontapforrum — Mon, 27 Mar 2023 22:58:00 GMT

I guess by default, pre-defined (built-role) role such as "backup" is set to NONE for DEFAULT command/directory and cannot be modified. However, you can create a custom role and assign it to the user as necessary.

For example- According to the "section titled CDOT (NAS Backup Integration) for Veeam you shared", it requires following capabilities.

Create a custom role:
::> security login role create -role backup_veeam -cmddirname DEFAULT -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname security -access readonly -query ""
::>security login role create -role backup_veeam -cmddirname "security login" -access readonly -query ""
::> security login role create -role backup_veeam -cmddirname "volume snapshot" -access all -query ""
::> security login role create -role backup_veeam -cmddirname vserver -access all -query ""
::> security login role create -role backup_veeam -cmddirname "vserver nfs" -access all -query ""

You can verify added capabilities:
::> security login role show -role backup_veeam

Create a user or assign the existing user the above role:
::> security login create -user-or-group-name netapp_veeam -application ontapi -role backup_veeam -authmethod <password/doman>

I don't know if this will help resolve it, but give it a try.

Definitions:

Command directory = Refers to a directory in the CLI.
Role = Refers to a collection of capabilities or privileges.
Access control = The capability is specified as an ‘access control’ on a ‘command directory’ or a ‘command’.

Re: Create custom Role for Veeam backup integration

TroyPayne — Tue, 28 Mar 2023 16:04:14 GMT

Amazing!

Thank you very much Ontapforrum.

Your explanation makes perfect sense.

The commands provided worked like a charm.

So refreshing to get a straight, accurate answer.