Configuring role-based access settings

Last published : Apr 02, 2026
Backup Exec provides the ability to configure role-based access control (RBAC) and gives additional security by controlling the level of access to the Backup Exec console. Use RBAC to assign roles for the Windows users.
By default, role-based access is disabled and can be enabled by providing Owner of System Logon Account credentials. The Owner of the System Logon Account by default has an administrator role and cannot be modified or removed. You must have an administrator role or be Owner of a System Logon Account to be able to manage users within RBAC.
In the CASO environment as well, this feature is disabled by default. You can only enable role-based access control on CAS. After you enable the feature on CAS, it is automatically enabled on MBES. You cannot enable or disable the RBAC feature from MBES servers. You also cannot edit or delete the CAS synchronized users from the MBES servers.
After role-based access control is enabled, only users that are added in the list can log on to Backup Exec or perform operations in BEMCLI.
To configure role-based access settings
  1. Click the Backup Exec button, select Configuration and Settings, and then selectRole-Based Access Settings.
The role-based access control feature is disabled by default.
  1. Click Enable and enter the Owner of System Logon Account credentials to enable the feature.
In a CASO environment, ensure that the MBES servers are upgraded to the current version. If any MBES servers are of an earlier version, the list is displayed. It is recommended that you first upgrade all the MBES servers and then enable RBAC in CASO environment
After the credentials are verified, the Owner of System Logon Account has the administrator role. The role cannot be modified or removed.
To disable role-based access control, click Disable, enter the Owner of System Logon Account credentials and then clickOK.
  1. Do any of the following:
    • Click Add to add a new user in the role-based access control list.
The user is displayed in the Role-Based Access dialog box along with the roles assigned to each user.
  • Select a user and click Edit to update the roles.
  • Select a user and click Remove to delete the user from the role-based access control list.
  • Select a user and click Detailsto view additional information about the user and then clickOK.
  • Click Synchronizeto synchronize a CAS domain user with all the MBES servers. You can select the user and then clickOK.
  • Select a user to view the roles that are assigned.
Use the Roles section to update the roles.
For more information about the roles and their details, refer to the following section:
See RBAC role details.
Add a new user in the role-based access control list
You can add new users in the role-based access control list.
To add a new user in the role-based access control list
  1. On the Role-Based Access dialog box, click Add.
  2. On the Add New User dialog box, enter the name of a new user account to be added to the role-based access control list.
  3. Click Verify to authenticate the user.
    Note: The user that you add must be part of the domain or local Windows administrator group.
  4. Select the Connect to the target domain or machine check box if the new user account for role-based access cannot be verified or if the user is part of a different domain or computer.
  5. Enter the administrator credentials to connect to the target domain or computer and retrieve the user account details.
  6. Click Verify to authenticate the user.
After the verification is completed, Windows Group displays the group that the user is part of.
  1. Select the roles that you want to assign to the user.
You can also assign multiple roles to the same user.
The following roles can be assigned to a user:
  • Administrator-Storage Administrator-Backup Administrator-Restore Administrator-View Only
For more information about the roles and their details, refer to the following section:
See RBAC role details.
  1. Click Add.
The user is added and displayed in the Role-Based Access dialog box.
Edit a role in the role-based access control list
You can edit the roles of a user in the role-based access control list.
To edit a role in the role-based access control list
  1. On the Role-Based Access dialog box, select a user and click Edit.
  2. In the Roles section, select or remove any roles.
  3. Click Save.
The roles for a user are updated.
Synchronize a CAS user to the MBES servers
In a CASO environment, you can synchronize a CAS domain user to the MBES servers. The synchronization and any changes can only be done from the CAS server and the changes are applied to the MBES servers. You cannot edit or delete the CAS synchronized users from the MBES servers.
To synchronize a CAS user to the MBES servers
  1. On the Role-Based Access dialog box, click Synchronize to synchronize a CAS user to the MBES servers.
    Note: You can only synchronize a domain user to the MBES servers.
  2. In the User Account Synchronization Manager dialog box, select the users that you want to synchronize across the MBES servers.
  3. Click OK.
On the Role-Based Access dialog box, the Synchronizationcolumn displays theEnabled status.
To remove the synchronization for a user, click Synchronize, clear the selected check box of the user, and then clickOK. The synchronization is removed from both CAS and MBES.
Note: Any domain user that is synced on the CAS server cannot be edited or removed from the MBES servers.