Powershell with viewer-role fails

[cdesch]

Hi,

the PowerShell Snap-in (v9) can only be started/installed, if the user has Admin-Role within Veeam ? Why ?
I need only "Get-VBR-Commands" , and i want to use a Veeam-Viewer-Role User ?

Has anybody an idea ? We do not want to give the monitoring userr who's running the powershell scripts Admin-Role-Permissions within B&R Gui.

Thx, Chris

[Vitaliy S.]

Hi Chris,

The majority of available PS cmdlets require admin account, cause they perform management actions on the backup server. That's why role verification is performed right in the beginning, when you load the snap-in. Currently, granular permissions for each cmdlet are not available, but thanks for the feedback!

As a workaround you may consider using Veeam ONE that would allow read-only access to Veeam B&R server.

Hope this helps!

[LarsWulf]

I just ran into the same issue.
Would be really nice if there would be an option to run Get commands without granting Admin permissions within Veeam.

And Veeam One is no option for me as it requires aid version to monitor Veeam Backup & Replication.

[ericcheng]

Hi Chris,

The majority of available PS cmdlets require admin account, cause they perform management actions on the backup server. That's why role verification is performed right in the beginning, when you load the snap-in. Currently, granular permissions for each cmdlet are not available, but thanks for the feedback!

As a workaround you may consider using Veeam ONE that would allow read-only access to Veeam B&R server.

Hope this helps!

Morning, we are interesting to sync up Veeam job information to our CMDB system. May possible to have ETA time for complete this issue?

[Mildur]

It‘s not a issue, it‘s a feature which is not implemented

Count me in for this Feature request:
+1 for granular role permissions for cmdlet commands.
We have some scripts to create some html files. This scripts do not need administrative permissions. Only get a list of the restore points from all of our backup systems (veeam and others) and put it on one page.

[Vitaliy S.]

Hi Eric,

No ETA yet, but I have forwarded this topic to the corresponding PM for review.

Thanks!

[oleg.feoktistov]

@Mildur,

Not yet planned for vNext, but consider your +1 counted.

Thanks!

[bcram]

Hi,

Please add another +1 for this feature. We need to collect information on Veeam backups using Powershell, and don't want to use a full Veeam administrator account to do this.

Cheers,
Marc

[oleg.feoktistov]

Thanks, Marc. Noted!

[tigattack]

Another +1. I have a number of scripts that collect VBR session information, I'd much rather not have to run them in an elevated PS session!

[vitami]

Also +1 for this feature, we use powershell to properly monitor backup copy jobs and would like to do so without granting admin permissions.

[Spex]

Same for us add +100 for this feature. Much needed for operating and monitoring a safe backup environment.

[david.domask]

(Note: This post is not a commentary on if/when such functionality will be implemented, but just wanted to share a solution you can do "now" while the feature is being discussed. I have no say on feature implementation, but don't want to leave you all hanging )

As a workaround folks, consider using GPOs to lock down the current session for your users.

New-PSSessionConfigurationFile: https://docs.microsoft.com/en-us/powers ... rshell-7.2

Session Configurations: https://docs.microsoft.com/en-us/powers ... rshell-7.2

Since Veeam has a module since v11, it should work to import the module and limit the session. You can edit the Powershell profile for your HelpDesk users to force loading such configurations and lock down the file from editing with Windows permissions.

For example, a quick one I threw together:

Code: Select all

PS C:\Users\Administrator> New-PSSessionConfigurationFile -ModulesToImport Veeam.Backup.Powershell -VisibleCmdlets ('Get
-VBRJob','Get-VBRBackupSession','Get-VBRComputerBackupJob','Get-VBRComputerBackupSession','Get-VBRTaskSession') -Languag
eMode FullLanguage -SessionType RestrictedRemoteServer -Path "C:\temp\VeeamTemp.pssc"
PS C:\Users\Administrator> Register-PSSessionConfiguration -Name VeeamRestricted -ShowSecurityDescriptorUI -Path C:\Temp
\VeeamTemp.pssc
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has
recently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be
 required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session
configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin

Type            Keys                                Name
----            ----                                ----
Container       {Name=VeeamRestricted}              VeeamRestricted
WARNING: The names of some imported commands from the module 'Veeam.Backup.Powershell' include unapproved verbs that
might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with
 the Verbose parameter. For a list of approved verbs, type Get-Verb.


PS C:\Users\Administrator> Enter-PSSession -ComputerName localhost -ConfigurationName VeeamRestricted
WARNING: The names of some imported commands from the module 'Veeam.Backup.Powershell' include unapproved verbs that
might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with
 the Verbose parameter. For a list of approved verbs, type Get-Verb.
[localhost]: PS>Get-Command

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Exit-PSSession
Function        Get-Command
Function        Get-FormatData
Function        Get-Help
Function        Measure-Object
Function        Out-Default
Function        Select-Object
Cmdlet          Get-VBRBackupSession                               1.0        Veeam.Backup.Powershell
Cmdlet          Get-VBRComputerBackupJob                           1.0        Veeam.Backup.Powershell
Cmdlet          Get-VBRJob                                         1.0        Veeam.Backup.Powershell
Cmdlet          Get-VBRTaskSession                                 1.0        Veeam.Backup.Powershell

Trying to run an unapproved cmdlet results in the following:

Code: Select all

[localhost]: PS>Get-VBRServer
The term 'Get-VBRServer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
    + CategoryInfo          : ObjectNotFound: (Get-VBRServer:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[localhost]: PS>

Custom Functions work as expected:

Code: Select all

[localhost]: P> function Show-VBRJobNames {
>> $jobs = Get-VBRJob
>> Foreach($j in $jobs){
>> $j.name
>> }
>> }
[localhost]: PS>Show-VBRJobNames
WARNING: This cmdlet is no longer supported for computer backup jobs. Use "Get-VBRComputerBackupJob" instead.
vmwware-gfs
offloadbackup
pstesting
vmware-fi-nixsobr
encrypted-backup
vmware-pervm-ffi
per-backup-chain
offloadbackup_clone1
bfss-job
deleted-vm-immutability-test
vmware-ffi-day-retention

I know it's not ideal, but until some decision or progress is made on the request, you can do this with native Powershell and Windows GPOs today.

I believe you can edit your PSProfile to force loading a specific session configuration for help desks and other such basic reporting operators so it will auto-load the session. I entered a PSSession for convenience sake, but with profile editing on users, I think this would solve it pretty handily. There are methods to escape the limited shell, but for most Help Desk scenarios, this ought be fine. You might consider aliasing Exit to terminate the session as a safety catch for such users so that the most common escape isn't possible and it just loads a new session with the same limited config.

[thwgh]

+1

We would also appreciate this being implemented. We just need to read some Get-... cmdlets to check current status for monitoring.

[skinnyoldcoot]

+1. I can't believe this is even a thing. The majority of read only accounts are for monitoring, and most monitoring uses automation, so... pretty much useless having a read only role without PS access.