Host-based backup of VMware vSphere VMs.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » 6 people like this post

Hi all,

Please find the description of required granular permissions in this document > Veeam B&R v8 granular permissions for vSphere 5.5

If you face any issues with this list, please post these details for troubleshooting:

1. Job type
2. Transport mode
3. Root object type you've applied these permissions to

Thanks!
brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by brupnick » 2 people like this post

Thanks for the updated document!

The only thing I noticed is that if you want to restore a template, I believe you need the following:

Code: Select all

Virtual Machine --> Provisioning --> Mark as template
Virtual Machine --> Provisioning --> Mark as virtual machine
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Thanks for the heads up, I will ask our technical writers team to update this document.
vladimir.klyavin
Expert
Posts: 118
Liked: 13 times
Joined: Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by vladimir.klyavin »

When creating a Virtual Lab, VBR fails at "Copying proxy appliance files"

Adding Datastore.Configuration permissions solves the problem. If I was a customer, I would ask, what are we configuring there?
alanbolte
Veteran
Posts: 635
Liked: 174 times
Joined: Jun 18, 2012 8:58 pm
Full Name: Alan Bolte
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by alanbolte » 1 person likes this post

I believe I can answer why the permission is required with this page in the vSphere API reference:
DatastoreNamespaceManager
CreateDirectory

Required Privileges
Datastore.Config
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Vladimir, did you do this using vSphere 5.5?
vladimir.klyavin
Expert
Posts: 118
Liked: 13 times
Joined: Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by vladimir.klyavin »

Yes, this is vSphere 5.5.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

We don't need this permissions, as it works in our labs even without it. Please use internal email to send me the details of what you did.
Ejdesgaard
Enthusiast
Posts: 43
Liked: 8 times
Joined: Aug 24, 2012 11:59 am
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Ejdesgaard »

Can we get an updated list for v8 + vcsa6 ?
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

I will be updating this list for Veeam B&R v9 and vSphere 6 after v9 goes out. Do you see any issues/errors with the current list of granular permissions?
dsellens
Novice
Posts: 4
Liked: never
Joined: May 09, 2014 6:09 pm
Full Name: Mordock
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by dsellens »

I found this document to be totally inadequate. While it listed the privileges that are needed, it did not list the permissions and roles that are required.

For instance:
The various Virtual Machines privileges would be in a role that is applied to the folder(s) in VMs and Templates on the replication destination where the Virtual machines are to be placed.

I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

Similarly, the datastore privileges would only be applied to the datastore(s) where the replicated VMs reside and again absolutely not to any other datastores. To do otherwise would be a catastrophic security breach.

Those are only the obvious problems and solutions. I really don't know what needs to be applied to the cluster and hosts in order to see the datastores properly in the replication wizard. We tried a number of options and was unable to get the datastores to show up until we gave up, hit it with a hammer, and granted far too many privileges to the user at too high a level. We are still trying to figure out how to narrow it back down.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

dsellens wrote:I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.
I completely agree with your point, but VMware does not allow performing some actions if privileges are not assigned to either the entire Datacenter or on vCenter Server level.
dsellens
Novice
Posts: 4
Liked: never
Joined: May 09, 2014 6:09 pm
Full Name: Mordock
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by dsellens »

If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level. As it is absolutely unacceptable to set all of the provided privileges for particularly DataStores, VMs, and Networks at that level.
tsightler
VP, Product Management
Posts: 6009
Liked: 2843 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by tsightler »

dsellens wrote:Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.
I apologize if I misunderstood your request but, based on this statement, it sounds like you are referring to a multi-tenant scenario where you want to assign permissions granular enough to allow a user to run their own Veeam B&R server against only a subset of VMs within a shared infrastructure. That's not the purpose of this document. This document defines the granular permissions needed by the Veeam server to perform backup and replication operations within the entire vSphere infrastucture for those organizations that don't want to (or can't due to policy) provide a vSphere administrative level account for the B&R server. It assumes that this B&R server would be able to backup/restore any VM in the environment so that's why all permissions are at the top level.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

dsellens wrote:If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level.
Yes, Tom is correct, 90% of the privileges from that doc have to be on the Datacenter/vCenter Server level. In this case administrative access to the vCenter Server is not required, but limiting "visibility" of the objects cannot be achieved via this document. Sounds like vCloud Director would be the best fit here.
davegold
Enthusiast
Posts: 66
Liked: 2 times
Joined: Dec 02, 2010 4:58 pm
Full Name: Dave Gold
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by davegold »

Is there a guide for v9 yet?

Also, the v8 guide appears to be for vcenter 5.1 or newer. Is there a guide that is relevant for vcenter 5.0?

--Dave
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by foggy »

There should not be any changes in v9 comparing to v8. The guide should be relevant for earlier vSphere versions up to some permission replacements.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. »

Foggy is correct, however we will run a quick test using v9 some time later and will update the doc with new permissions (if required).
albertwt
Veeam Legend
Posts: 879
Liked: 46 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

[MERGED] What's the least amount of privileges needed for ba

Post by albertwt »

Hi All,

I'm using Veeam Backup 9.0 Update 1 and VCenter 5.5 Update 3d.

So I wonder what is the minimum amount of service account privillege that I require to allow the VM backup ?

Reading this page: https://helpcenter.veeam.com/backup/vsp ... sions.html it is too generic and having a domain administrator and isabling UAC is against PCI compliance in my company.
Also making the service account as member of local admin in all VMs is also not really convenient.

Does this http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf document is still applicable or is there any updated version ?

Case # 01799483
--
/* Veeam software enthusiast user & supporter ! */
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by foggy »

Speaking about vCenter Server permissions, the documents is still applicable to your environment, please see above.

As for the service account, any account that belongs to local Administrators group can be used if you're using application-aware image processing and/or guest file system indexing. The requirement for built-in administrator account and disabled UAC relates to application-aware backup in networkless mode (over VIX) only.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » 2 people like this post

Quick note for everyone > our QC has verified that existing permissions work fine for vSphere 6.0 and Veeam B&R v9, no changes are required.
patrickds
Enthusiast
Posts: 29
Liked: 5 times
Joined: Feb 24, 2010 11:58 am
Full Name: Patrick De Smedt
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by patrickds » 1 person likes this post

Why does the document only mention granular permissions for Vcenter, and say you require root access for an esxi host?
The same permissions can be given to a role on a standalone host.

We have just done this with a provider of some software we use, and which they deliver as an appliance on an Esxi6 host.
They are reluctant to give us full root access, but since we insisted on having backups, they agreed on setting the granular permissions required for backup/restore.

Everything works as expected, without a Vcenter.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. »

Thanks, Patrick! vCenter Server is the only option in the document, as this was the top selection of our customers, however the same list should also work for ESXi (as you've verified).
dmarcocci
Novice
Posts: 3
Liked: never
Joined: Dec 16, 2015 4:55 pm
Full Name: Daniele Marcocci
Location: Italy, Rome
Contact:

[MERGED] [Replicaiton] - permission lack

Post by dmarcocci »

Hello,
this post is to inform staff about an issue i've found in VBS + vmware environment.

today i've found an issue in a replica context.
the customer has extended disk on a machine that reside in his datacenter, and the replication job fail with a lack of permission because the relevat permission is missing in our vmware farm.
i've identified the missing permission: Extend Virtual disk.


regards
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by foggy »

Hi Daniele, thanks for the reporting. We will check that and update the reference.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » 1 person likes this post

vCenter Server Granular Permissions document has been updated. Thanks!
darkec
Lurker
Posts: 2
Liked: never
Joined: Oct 13, 2016 8:59 am
Contact:

[MERGED] Replication job - permission problem

Post by darkec »

Hello everyone.

I have a problem with Veeam replication jobs. Currently using v9.0.0.1715

I've made a role in vCenter for Veeam replication user specified in VeeamB&R v9 Required Permissions.
For example, when I try to do network remapping I get an error :"The given key was not present in the dictionary". The same error in appears in logs when replication job fails.
After I set user permissions to propagate, job completes normally and I can do network remapping, but then the replication user sees everything in vCenter and not just resoursces that were specified for him.
Since this is one of our customers Veeam server, I cannot leave this configuration for him to see everyone elses VMs, pools, etc.

Case number - 01924780
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. »

Hello darkec,

Yes, that's expected behavior and, unfortunately, has nothing to do with Veeam required permissions. The document that you've used, refers to global granular permissions, these permissions should be assigned to a Datacenter or a vCenter Server level. I have also tried to assign it to particular objects (as you did), and it didn't work, as vSphere API requires access to the entire infrastructure tree (based on the feedback from VMware team).

In order to solve your case, I believe vCloud Director should be used, as it has multi-tenant feature built-in. Other than that, I cannot find any other feasible solution right now.

Hope it helps!
darkec
Lurker
Posts: 2
Liked: never
Joined: Oct 13, 2016 8:59 am
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by darkec »

Hello Vitaliy.

I've found the resolution to my problem. I needed to tweak permission in vsphere networking and propagate permissions. After making those changes, replication jobs start and customer can't see other customers VMs.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. »

Perfect, do you mind sharing these tweaks for future readers of this topic? This will be highly appreciated.
Post Reply

Who is online

Users browsing this forum: No registered users and 80 guests