vCenter Server Granular Permissions (v9)

[Vitaliy S.]

Hi all,

Please find the description of required granular permissions in this document > Veeam B&R v8 granular permissions for vSphere 5.5

If you face any issues with this list, please post these details for troubleshooting:

1. Job type
2. Transport mode
3. Root object type you've applied these permissions to

Thanks!

[brupnick]

Thanks for the updated document!

The only thing I noticed is that if you want to restore a template, I believe you need the following:

Code: Select all

Virtual Machine --> Provisioning --> Mark as template
Virtual Machine --> Provisioning --> Mark as virtual machine

[Vitaliy S.]

Thanks for the heads up, I will ask our technical writers team to update this document.

[vladimir.klyavin]

When creating a Virtual Lab, VBR fails at "Copying proxy appliance files"

Adding Datastore.Configuration permissions solves the problem. If I was a customer, I would ask, what are we configuring there?

[alanbolte]

I believe I can answer why the permission is required with this page in the vSphere API reference:
DatastoreNamespaceManager
CreateDirectory

Required Privileges
Datastore.Config

[Vitaliy S.]

Vladimir, did you do this using vSphere 5.5?

[vladimir.klyavin]

Yes, this is vSphere 5.5.

[Vitaliy S.]

We don't need this permissions, as it works in our labs even without it. Please use internal email to send me the details of what you did.

[Ejdesgaard]

Can we get an updated list for v8 + vcsa6 ?

[Vitaliy S.]

I will be updating this list for Veeam B&R v9 and vSphere 6 after v9 goes out. Do you see any issues/errors with the current list of granular permissions?

[dsellens]

I found this document to be totally inadequate. While it listed the privileges that are needed, it did not list the permissions and roles that are required.

For instance:
The various Virtual Machines privileges would be in a role that is applied to the folder(s) in VMs and Templates on the replication destination where the Virtual machines are to be placed.

I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

Similarly, the datastore privileges would only be applied to the datastore(s) where the replicated VMs reside and again absolutely not to any other datastores. To do otherwise would be a catastrophic security breach.

Those are only the obvious problems and solutions. I really don't know what needs to be applied to the cluster and hosts in order to see the datastores properly in the replication wizard. We tried a number of options and was unable to get the datastores to show up until we gave up, hit it with a hammer, and granted far too many privileges to the user at too high a level. We are still trying to figure out how to narrow it back down.

[Vitaliy S.]

I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

I completely agree with your point, but VMware does not allow performing some actions if privileges are not assigned to either the entire Datacenter or on vCenter Server level.

[dsellens]

If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level. As it is absolutely unacceptable to set all of the provided privileges for particularly DataStores, VMs, and Networks at that level.

[tsightler]

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

I apologize if I misunderstood your request but, based on this statement, it sounds like you are referring to a multi-tenant scenario where you want to assign permissions granular enough to allow a user to run their own Veeam B&R server against only a subset of VMs within a shared infrastructure. That's not the purpose of this document. This document defines the granular permissions needed by the Veeam server to perform backup and replication operations within the entire vSphere infrastucture for those organizations that don't want to (or can't due to policy) provide a vSphere administrative level account for the B&R server. It assumes that this B&R server would be able to backup/restore any VM in the environment so that's why all permissions are at the top level.

[Vitaliy S.]

If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level.

Yes, Tom is correct, 90% of the privileges from that doc have to be on the Datacenter/vCenter Server level. In this case administrative access to the vCenter Server is not required, but limiting "visibility" of the objects cannot be achieved via this document. Sounds like vCloud Director would be the best fit here.

[davegold]

Is there a guide for v9 yet?

Also, the v8 guide appears to be for vcenter 5.1 or newer. Is there a guide that is relevant for vcenter 5.0?

--Dave

[foggy]

There should not be any changes in v9 comparing to v8. The guide should be relevant for earlier vSphere versions up to some permission replacements.

[Vitaliy S.]

Foggy is correct, however we will run a quick test using v9 some time later and will update the doc with new permissions (if required).

[albertwt]

Hi All,

I'm using Veeam Backup 9.0 Update 1 and VCenter 5.5 Update 3d.

So I wonder what is the minimum amount of service account privillege that I require to allow the VM backup ?

Reading this page: https://helpcenter.veeam.com/backup/vsp ... sions.html it is too generic and having a domain administrator and isabling UAC is against PCI compliance in my company.
Also making the service account as member of local admin in all VMs is also not really convenient.

Does this http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf document is still applicable or is there any updated version ?

Case # 01799483

[foggy]

Speaking about vCenter Server permissions, the documents is still applicable to your environment, please see above.

As for the service account, any account that belongs to local Administrators group can be used if you're using application-aware image processing and/or guest file system indexing. The requirement for built-in administrator account and disabled UAC relates to application-aware backup in networkless mode (over VIX) only.

[Vitaliy S.]

Quick note for everyone > our QC has verified that existing permissions work fine for vSphere 6.0 and Veeam B&R v9, no changes are required.

[patrickds]

Why does the document only mention granular permissions for Vcenter, and say you require root access for an esxi host?
The same permissions can be given to a role on a standalone host.

We have just done this with a provider of some software we use, and which they deliver as an appliance on an Esxi6 host.
They are reluctant to give us full root access, but since we insisted on having backups, they agreed on setting the granular permissions required for backup/restore.

Everything works as expected, without a Vcenter.

[Vitaliy S.]

Thanks, Patrick! vCenter Server is the only option in the document, as this was the top selection of our customers, however the same list should also work for ESXi (as you've verified).

[dmarcocci]

Hello,
this post is to inform staff about an issue i've found in VBS + vmware environment.

today i've found an issue in a replica context.
the customer has extended disk on a machine that reside in his datacenter, and the replication job fail with a lack of permission because the relevat permission is missing in our vmware farm.
i've identified the missing permission: Extend Virtual disk.


regards

[foggy]

Hi Daniele, thanks for the reporting. We will check that and update the reference.

[Vitaliy S.]

vCenter Server Granular Permissions document has been updated. Thanks!

[darkec]

Hello everyone.

I have a problem with Veeam replication jobs. Currently using v9.0.0.1715

I've made a role in vCenter for Veeam replication user specified in VeeamB&R v9 Required Permissions.
For example, when I try to do network remapping I get an error :"The given key was not present in the dictionary". The same error in appears in logs when replication job fails.
After I set user permissions to propagate, job completes normally and I can do network remapping, but then the replication user sees everything in vCenter and not just resoursces that were specified for him.
Since this is one of our customers Veeam server, I cannot leave this configuration for him to see everyone elses VMs, pools, etc.

Case number - 01924780

[Vitaliy S.]

Hello darkec,

Yes, that's expected behavior and, unfortunately, has nothing to do with Veeam required permissions. The document that you've used, refers to global granular permissions, these permissions should be assigned to a Datacenter or a vCenter Server level. I have also tried to assign it to particular objects (as you did), and it didn't work, as vSphere API requires access to the entire infrastructure tree (based on the feedback from VMware team).

In order to solve your case, I believe vCloud Director should be used, as it has multi-tenant feature built-in. Other than that, I cannot find any other feasible solution right now.

Hope it helps!

[darkec]

Hello Vitaliy.

I've found the resolution to my problem. I needed to tweak permission in vsphere networking and propagate permissions. After making those changes, replication jobs start and customer can't see other customers VMs.

[Vitaliy S.]

Perfect, do you mind sharing these tweaks for future readers of this topic? This will be highly appreciated.