Real-time performance monitoring and troubleshooting
Post Reply
amiedzow
Novice
Posts: 6
Liked: never
Joined: Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz
Contact:

Feature Request - Restrict access to Veeam ONE from AD group

Post by amiedzow » Jul 26, 2017 10:53 am

Hello,

I'd like a submit a request for a feature that would accomplish the following two scenarios"

1. Restrict access to Veeam ONE applications (Reporter, Monitor, Business View)
2. For those users with access to Veeam ONE, they can only to see their own virtual objects

Item 2 can be achieved by using the Multi-Tenant functionality and the permissions are obtained from vCenter so that option is already available. Item 1, however is the one I don't think is possible at the moment.
Access can be restricted using the local Security Groups in the Veeam ONE server but if I use this, then the user that logs in will be able to see any object and not just their own which is why a new feature that will make the two items possible simultaneously would be beneficial.

The whole idea behind this is that, as a service provider, I can offer access to Veeam ONE and all its powerful reporting and notification capabilities to selected customers that already have access to vCenter and permissions to access their own virtual infrastructure.

Vitaliy S.
Product Manager
Posts: 22971
Liked: 1555 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by Vitaliy S. » Aug 01, 2017 10:52 am

Hi Andres,

Can you please clarify why do you want to restrict access to reporting and categorization interfaces? Both of them can be limited to a particular scope from Item 2.

Thanks!

amiedzow
Novice
Posts: 6
Liked: never
Joined: Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by amiedzow » Aug 01, 2017 9:36 pm

Hi Vitaliy,

That's correct, they can be limited to a particular scope but this is done by using the vCenter permissions. This means that if the user has permissions to view their infrastructure in vCenter, then they automatically have access to see their infrastructure in Veeam ONE using the same credentials. The idea is to limit access to Veeam ONE entirely while still having access to vCenter so that it can be sold to the tenants as an add-on service.

Vitaliy S.
Product Manager
Posts: 22971
Liked: 1555 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by Vitaliy S. » Aug 02, 2017 4:47 pm

Andres,

Hmm, just to make sure I have understood it. Your tenant A rents X number of VMs and he has access to these VMs via vCenter Server, correct? When logged in to the Reporter/Business View interfaces he will only see reports scoped to his VMs and he will not be able to generate reports about the entire infrastructure. This sounds like a good bonus to me if I were a tenant :)

Thanks!

amiedzow
Novice
Posts: 6
Liked: never
Joined: Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by amiedzow » Aug 02, 2017 9:11 pm

Hi Vitaliy,

that's sort of the idea. Actually, I can already achieve multi-tenancy with the current version of Veeam ONE because when one of my customers logs into Business View, Monitor or Reporter, they can only have access to their infrastructure according to the permissions in vCenter. Although there are a few things that could be improved, that option is available now.

The idea of this particular feature is that I'd like to provide access to Veeam ONE to customers as an add-on service. At the moment, if they have access to vCenter, there's nothing I can do to stop them from accessing Veeam ONE because it authenticates with vCenter so the same credentials will work. However, if we can restrict access to Veeam ONE by using a security group in AD (or any other suitable method), then I can choose if they will have access to all the reporting and monitoring tools in addition to their vCenter access.

Regards

Vitaliy S.
Product Manager
Posts: 22971
Liked: 1555 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by Vitaliy S. » Aug 04, 2017 10:48 am

Ah, got it. Do you host Veeam ONE at some shared computer where everyone can access it, right? The reason why I'm asking this is that customers need to know that they have an ability to use Veeam ONE (actually install it or click on the icon).

amiedzow
Novice
Posts: 6
Liked: never
Joined: Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by amiedzow » Aug 07, 2017 12:45 am

Hi Vitaliy,

that's right. The VM where Veeam ONE is hosted is publicly accessible so anyone with a login for our vCenter can access Veeam ONE as well which is what we're trying to prevent. I guess that the IP/hostname can be kept a secret but we can't rely on hiding information and hope they don't figure it out.

Vitaliy S.
Product Manager
Posts: 22971
Liked: 1555 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Feature Request - Restrict access to Veeam ONE from AD g

Post by Vitaliy S. » Aug 08, 2017 2:57 pm

Andres, yeah, the only workaround I can think of is to install Veeam ONE on a separate VM and grant access to this VM for "eligible" clients only. Thanks for your feedback anyway.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests