Host-based backup of VMware vSphere VMs.
Post Reply
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

vCenter Server Granular Permissions (v8)

Post by kacsp »

Hi,

Is there a pdf guide for vCenter Server Granular Permissions (v8) available?

Thanks
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Not yet, but we are planning to update existing guide soon.
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

OK. Would you be able to state the minimum vCenter permission set needed by a Service Account, if vCenter were just to be used as a source (not a target)? Or, looked at another way, what vCenter permissions are needed by a Service Account when adding that vCenter into Veeam v8, if this vCenter is going to be used just as a source, and nothing else?

Thanks again
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

It depends on what backup mode you're going to use etc. Please check this example of granular permissions for v7 > http://forums.veeam.com/post129060.html ... ar#p129060
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

I'll take a look at your link. Are there significant differences in granular permissions between v7 & v8?
veremin
Product Manager
Posts: 20270
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by veremin »

The document is in checking state, but I believe good portion of previously described permissions is still valid. Thanks.
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

OK thanks for that...
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place? I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?

Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?

Thanks again
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

kacsp wrote:I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place?

Yes, it would be enough. Check the operations you're going to do, for example, restore etc, and then create a user role in vCenter Server with a granular set of permissions and then add your AD account to this role.
kacsp wrote:I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?
Service account and account used to add vCenter Server/ESXi hosts are different things. Just want to make sure we are talking about the same accounts here. Full admin rights on the vCenter Server is not required.
kacsp wrote:Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?
Your account would need all these granular permissions, if you plan to backup/replicate/restore/run SureBackup jobs etc in this vCenter Server environment.
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

So just to be clear, for my situation, if I wanted to add vCenter into Veeam using an AD account with restricted permissions in vCenter for only Backup & Replication operations, and which used this vCenter as the source, then I would create a user role in vCenter Server with a granular set of permissions for 'Backup, & 'Replication' operations and add my AD account to this role. I would then be able to add vCenter to Veeam using this AD account, and this account would also give me sufficient vCenter permissions to run Backup & Replications Jobs?

Thanks
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Yes, that's correct and I would highly recommend using cumulative permissions list for that, but keep in mind that it has not been adapted to v8 yet.
kacsp
Enthusiast
Posts: 50
Liked: 8 times
Joined: Jun 02, 2014 1:09 pm
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by kacsp »

Thanks Vitaliy, that's been most helpful...
Ben Milligan
Expert
Posts: 173
Liked: 40 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Ben Milligan » 2 people like this post

In the case anyone Googles this and gets this thread down the road, here you go: http://www.veeam.com/veeam_backup_8_permissions_pg.pdf
haslund
VeeaMVP
Posts: 839
Liked: 149 times
Joined: Feb 16, 2012 7:35 am
Full Name: Rasmus Haslund
Location: Denmark
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by haslund » 2 people like this post

Rasmus Haslund | Twitter: @haslund | Blog: https://rasmushaslund.com
aschalk
Enthusiast
Posts: 31
Liked: 1 time
Joined: Sep 07, 2016 5:47 am
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by aschalk »

What is meant by global? the Permissions on vCenter Level?
I am just curious because we just did a test with a user who's role on vCenter level is "No access".
I already checked this role and there are no rights set, so he is completly without rights on vCenter Level.
On Datacenter Level he has the Role "Read Only".
On ESXi Level he has the Role "Adminstrator".

Backup just went fine with this set of permissions.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Global means a top level object, either vCenter Server/Datacenter/Cluster, so your configuration looks good.
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Google Feedfetcher, Semrush [Bot] and 80 guests