Feature Request - Restrict access to Veeam ONE from AD group

Real-time performance monitoring and troubleshooting

Feature Request - Restrict access to Veeam ONE from AD group

Veeam Logoby amiedzow » Wed Jul 26, 2017 10:53 am

Hello,

I'd like a submit a request for a feature that would accomplish the following two scenarios"

1. Restrict access to Veeam ONE applications (Reporter, Monitor, Business View)
2. For those users with access to Veeam ONE, they can only to see their own virtual objects

Item 2 can be achieved by using the Multi-Tenant functionality and the permissions are obtained from vCenter so that option is already available. Item 1, however is the one I don't think is possible at the moment.
Access can be restricted using the local Security Groups in the Veeam ONE server but if I use this, then the user that logs in will be able to see any object and not just their own which is why a new feature that will make the two items possible simultaneously would be beneficial.

The whole idea behind this is that, as a service provider, I can offer access to Veeam ONE and all its powerful reporting and notification capabilities to selected customers that already have access to vCenter and permissions to access their own virtual infrastructure.
amiedzow
Novice
 
Posts: 6
Liked: never
Joined: Tue Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby Vitaliy S. » Tue Aug 01, 2017 10:52 am

Hi Andres,

Can you please clarify why do you want to restrict access to reporting and categorization interfaces? Both of them can be limited to a particular scope from Item 2.

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19571
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby amiedzow » Tue Aug 01, 2017 9:36 pm

Hi Vitaliy,

That's correct, they can be limited to a particular scope but this is done by using the vCenter permissions. This means that if the user has permissions to view their infrastructure in vCenter, then they automatically have access to see their infrastructure in Veeam ONE using the same credentials. The idea is to limit access to Veeam ONE entirely while still having access to vCenter so that it can be sold to the tenants as an add-on service.
amiedzow
Novice
 
Posts: 6
Liked: never
Joined: Tue Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby Vitaliy S. » Wed Aug 02, 2017 4:47 pm

Andres,

Hmm, just to make sure I have understood it. Your tenant A rents X number of VMs and he has access to these VMs via vCenter Server, correct? When logged in to the Reporter/Business View interfaces he will only see reports scoped to his VMs and he will not be able to generate reports about the entire infrastructure. This sounds like a good bonus to me if I were a tenant :)

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19571
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby amiedzow » Wed Aug 02, 2017 9:11 pm

Hi Vitaliy,

that's sort of the idea. Actually, I can already achieve multi-tenancy with the current version of Veeam ONE because when one of my customers logs into Business View, Monitor or Reporter, they can only have access to their infrastructure according to the permissions in vCenter. Although there are a few things that could be improved, that option is available now.

The idea of this particular feature is that I'd like to provide access to Veeam ONE to customers as an add-on service. At the moment, if they have access to vCenter, there's nothing I can do to stop them from accessing Veeam ONE because it authenticates with vCenter so the same credentials will work. However, if we can restrict access to Veeam ONE by using a security group in AD (or any other suitable method), then I can choose if they will have access to all the reporting and monitoring tools in addition to their vCenter access.

Regards
amiedzow
Novice
 
Posts: 6
Liked: never
Joined: Tue Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby Vitaliy S. » Fri Aug 04, 2017 10:48 am

Ah, got it. Do you host Veeam ONE at some shared computer where everyone can access it, right? The reason why I'm asking this is that customers need to know that they have an ability to use Veeam ONE (actually install it or click on the icon).
Vitaliy S.
Veeam Software
 
Posts: 19571
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby amiedzow » Mon Aug 07, 2017 12:45 am

Hi Vitaliy,

that's right. The VM where Veeam ONE is hosted is publicly accessible so anyone with a login for our vCenter can access Veeam ONE as well which is what we're trying to prevent. I guess that the IP/hostname can be kept a secret but we can't rely on hiding information and hope they don't figure it out.
amiedzow
Novice
 
Posts: 6
Liked: never
Joined: Tue Jul 25, 2017 12:44 pm
Full Name: Andres Miedzowicz

Re: Feature Request - Restrict access to Veeam ONE from AD g

Veeam Logoby Vitaliy S. » Tue Aug 08, 2017 2:57 pm

Andres, yeah, the only workaround I can think of is to install Veeam ONE on a separate VM and grant access to this VM for "eligible" clients only. Thanks for your feedback anyway.
Vitaliy S.
Veeam Software
 
Posts: 19571
Liked: 1104 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to Monitoring



Who is online

Users browsing this forum: No registered users and 2 guests