Host-based backup of VMware vSphere VMs.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

vCenter Server Granular Permissions (v7)

Post by Vitaliy S. » 3 people like this post

vStorage API - SAN mode (Backup)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking
Disk lease

Virtual Machine – Provisioning:

Allow read-only disk access
Allow virtual machine download

vStorage API - Virtual Appliance mode (Backup)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking
Change resource
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

vStorage API - Network mode (Backup)

Global:
Log event
Disable Methods
Enable Methods
Licenses *

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

* - required for template backups
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

vStorage API - SAN mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Disk lease
Advanced
Add new disk

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

vStorage API - Virtual Appliance mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Change resource
Advanced
Add new disk
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

vStorage API - Network mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Add new disk
Advanced

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Instant VM Recovery

Global:
Log event

Host - Configuration:
Storage partition configuration

Virtual machine - Interaction:
Power On
Power Off

Virtual Machine - Inventory:
Register
Unregister

Resource:
Assign virtual machine to resource pool

vApp
Add virtual machine
Assign resource pool
Unregister
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

SureBackup

Global:
Log event
Check Licenses

Datastore:
Low-level file operations
Remove file
Browse datastore

Host - Configuration:
Network configuration
Storage partition configuration

Network:
Assign network

Virtual machine - Interaction:
Power On
Power Off

Virtual Machine - Provisioning:
Check Allow disk access

Virtual machine - Configuration:
Add or remove device
Advanced

Virtual Machine - Inventory:
Remove
Register
Unregister

Resource:
Assign virtual machine to resource pool
Create resource pool
Remove resource pool

Folder:
Create folder
Delete folder

dvPort Group:
Create
Delete
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Full VM Restore

Global:
Log event

Datastore:
Browse datastore
Remove file
Allocate space
Low-level file operations

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload

Resource:
Assign virtual machine to resource pool

Virtual Machine – Configuration:
Advanced
Add new disk
Remove disk

Virtual Machine - Inventory:
Register

Folder:
Create folder

vApp
Add virtual machine
Assign resource pool
Unregister

dvPort Group:
Create
Delete
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Replica Failover

Global:
Log event

Datastore:
Low-level file operations
Browse datastore
Remove file

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine – Configuration:
Advanced
Rename
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Replica Failback

Global:
Log event

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

Virtual Machine – Configuration:
Advanced
Rename
Disk change tracking
Disk lease
Add new disk
Add existing disk
Remove disk

Virtual Machine - Inventory:
Register

Resource:
Assign virtual machine to resource pool
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

File-Level Restore (Other Guest)

Global:
Log event

Datastore:
Low-level file operations
Browse datastore

Network:
Assign network
Configure

Virtual Machine - Configuration:
Modify device settings

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine - Inventory:
Register
Unregister

Resource:
Assign virtual machine to resource pool

Host - Configuration:
Storage partition configuration
lorengordon
Influencer
Posts: 23
Liked: 3 times
Joined: Jul 01, 2011 12:50 pm
Full Name: Loren Gordon
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by lorengordon »

Wow! This is awesome! I've also found that if a VM is in a vApp, a few additional permissions are necessary.

--vApp--
  1. - Add virtual machine
    - Assign resource pool
    - Unregister
There may be others for features we haven't really used...our use case is mostly just backup and restore.

Thanks!
-Loren
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Hi Loren, thanks for heads up. I will update our permissions list.
dlehrner
Novice
Posts: 3
Liked: never
Joined: Jun 05, 2012 2:32 pm
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by dlehrner »

And a combined set of permissions.

Global:
Log event
Licenses
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection
Power On
Power Off

Virtual Machine – Configuration:
Disk change tracking
Disk lease
Advanced
Change Resource
Add existing disk
Remove disk
Add new disk
Add or remove device
Rename
Modify device settings

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload

Virtual Machine - Inventory:
Register
Unregister
Remove

Resource:
Assign virtual machine to resource pool
Create resource pool
Remove resource pool

Host - Configuration:
Storage partition configuration
Network configuration

dvPort Group:
Create
Delete

Network:
Assign network
Configure

Folder:
Create folder
Delete folder

vApp
Add virtual machine
Assign resource pool
Unregister
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by brupnick »

Good morning-

Is there an updated list of permissions for VBR 6.5 and vSphere 5.1?

Thank you!
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Hi Brian,

As far as I know there are no additional requirements added for B&R v6.5 and vSphere 5.1 release. Do you have any issues with the list we have now?

Thanks!
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by brupnick »

Hello Vitaliy-

Using dlehrner's combined set of permissions, I got as far as the third section (Virtual Machine - State) before noticing that this category does not seem to exist in 5.1. This made me wonder what, if anything, else might be different.

Thank you!
Brian
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Virtual Machine State is replaced by Virtual Machine Snapshot Management, just checked ;)
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by brupnick »

The other discrepancy I found is the post mentions Virtual machine - Interaction - Acquire guest control ticket, but in my vCenter permissions, I have Virtual machine - Interaction - Guest operating system management by VIX API selected. Is this just a new name for the same permission?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Yes, it looks like they've just changed the name of this permission.
dmitry86
Lurker
Posts: 2
Liked: never
Joined: Jan 12, 2013 11:52 pm
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by dmitry86 »

Hi, I have got the document from your support with the obsolete privilege names. Why not to change them in pdf doc as well? Thanks
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

I will ask to update this doc. Thanks for the heads up!
jcwuerfl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jun 29, 2011 8:26 pm
Full Name: James
Contact:

[MERGED] : Veeam 6.5 and VMware 5.1 vCenter permissions

Post by jcwuerfl »

Could someone please post the latest list of Permissions needed for vCenter for VMware 5.1 and Veeam 6.5 ?
Thanks!
jcwuerfl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jun 29, 2011 8:26 pm
Full Name: James
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by jcwuerfl »

Is there a pdf showing the latest vCenter permissions ? then? or could someone post them again? anyone? anyone?
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by foggy »

James, the latest permissions list is available in this topic above and also in the PDF format through our technical support.
jcwuerfl
Enthusiast
Posts: 44
Liked: 4 times
Joined: Jun 29, 2011 8:26 pm
Full Name: James
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by jcwuerfl »

Including all the changed permissions in v5.1 ? like Virtual Machine - State -> Virtual Machine Snapshot Management ? I guess I'm not seeing that and want to make sure I have a complete list of everything so if that's available in the pdf document? I have to contact support for that? seems strange that isn't posted out on the backup support and product pages somewhere as how does someone ever get that for new customers?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

James, yes, I have supplied our support team with the latest document that includes latest name changes.

Anyway, I have just found a direct link to the pdf doc you're looking for:
http://www.veeam.com/granular_permissions_v6_5_ds.pdf
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by brupnick »

This is a great document, but is there any way to have a section that lists all of the permissions necessary to perform any VBR task? For example, I use all of the features listed in this document, but if I go through each section, there can be significant overlap when it comes to required permissions. A section indicating something like:

Global
  • Log event
    Disable Methods
    Enable Methods
    Check Licenses
Datastore
  • Low-level file operations
    Browse datastore
    Remove file
    Allocate space
...

would be very helpful for someone like me.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Hi Brian, I believe it should be easy to add, thanks for the feedback.
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by brupnick » 1 person likes this post

One of my co-workers pointed out that the attribute that's supposed to hold the backup details hasn't been updating since December 2012 (shame on me for not noticing earlier). This is about the same time that we did our vSphere upgrade. As it turns out, there are two more permissions that your VBR account must have in vSphere in order for the "Set successful backup details to this VM attribute:" option to work: Global --> Manage custom attributes as well as Global --> Set custom attribute. The first lets VBR create the custom attribute, but it can't populate it without the second.

If you don't have either, you'll see this in the logs:

Code: Select all

[04.06.2013 19:32:47] <01> Error    AddAttribute failed, name 'Backup'   at Veeam.Backup.ViSoap.CSoapConnection.AddAttribute(String name)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do()
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.DoNoThrow(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[04.06.2013 19:32:47] <01> Error    Failed to execute SOAP command "CAddCustomFieldOperation". Details: "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="Folder">group-d1</object><privilegeId>Global.ManageCustomFields</privilegeId></NoPermissionFault>"   at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.ViSoap.CSoapConnection.AddAttribute(String name)
[04.06.2013 19:32:47] <01> Error    Permission to perform this operation was denied.   at Veeam.Backup.ViSoap.CServiceSession.Execute(CServiceConnState connState, IServiceOperation op)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
If you have the Manage, but not the Set, you'll get this:

Code: Select all

[03.06.2013 19:12:53] <01> Error    UpdateAnnotation failed, vmRef 'vm-155'   at Veeam.Backup.ViSoap.CSoapConnection.UpdateAttribute(String vmRef, String annotation, Int32 fieldKey)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do()
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.DoNoThrow(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[03.06.2013 19:12:53] <01> Error    Failed to execute SOAP command "CSetFieldOperation". Details: "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="VirtualMachine">vm-155</object><privilegeId>Global.SetCustomField</privilegeId></NoPermissionFault>"   at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.ViSoap.CSoapConnection.UpdateAttribute(String vmRef, String annotation, Int32 fieldKey)
[03.06.2013 19:12:53] <01> Error    Permission to perform this operation was denied.   at Veeam.Backup.ViSoap.CServiceSession.Execute(CServiceConnState connState, IServiceOperation op)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
It's a very silly problem to have, but since I couldn't find these rights in the list of permissions, I thought I'd mention them here. Support ticket #00245101 also references this issue.
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by foggy »

Brian, thanks for the heads up! Much appreciated. We'll look into this and update the permissions list appropriately.
lorengordon
Influencer
Posts: 23
Liked: 3 times
Joined: Jul 01, 2011 12:50 pm
Full Name: Loren Gordon
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by lorengordon »

I've found a few more permissions that are required if using the Quick Migration feature:

Datastore:
- Allocate Space

Resource:
- Relocate
- Migrate

Virtual Machine - Interaction:
- Suspend
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v6)

Post by Vitaliy S. »

Loren, thanks for sharing your findings.
Locked

Who is online

Users browsing this forum: No registered users and 76 guests