I went through a backup security hardening to make it harder for ransomware to spread from our domain into our backups as well. I setup a whole separate domain for Veeam, and then followed the following document to set least permissive, granular permissions on the vCenter account that we use for backup, restores, and replication. https://www.veeam.com/veeam_backup_9_0_ ... ons_pg.pdf.
This all works great except for replication. I am no longer using a vCenter administrator account in Veeam to connect to vCenter. I created a new account and set permissions based on that document. I continue to get access denied errors though on the replication jobs from one datacenter to another. I had a case open (02382789) but was told to use an administrator account. I said that defeats the whole purpose, and why have this document released if it's not possible. Here is the error in the log:
[17.11.2017 17:02:43] <01> Error Failed UpdateNetworkAdapter2Vm. VmRef: [vm-285935], Nic: [4000], PortGroup: [Backup-VM Local], ConnectAtPowerOn: [True]. (System.Exception)
[17.11.2017 17:02:43] <01> Error Fault "NoPermissionFault", detail "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="VirtualMachine">vm-285935</object><privilegeId>VirtualMachine.Config.EditDevice</privilegeId></NoPermissionFault>" (Veeam.Backup.ViSoap.ViServiceFaultException)
[17.11.2017 17:02:43] <01> Error VimApi.NoPermission
I then tried to remove the options of re-ip and separate virtual networks, but still continue to get the error. Any idea what I need to do? Thanks.
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 13, 2017 8:27 pm
- Full Name: Eric Halvonik
- Contact:
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Granular Permissions for Replication
Hi Eric,
First: Welcome to the forums!
Second: I don't have a vCenter at hand for the moment, but from the looks of this, I think you are missing some permissions on the configuration of the VM. Could you check if there are configuration permissions for the networkadapter that are not checked?
It might be that the document has a missing item (or two ). Also, it is written for version 9 (are you running 9 or 9.5?) and I can't see which vCenter (different vCenters might have different rights also).
Let us know
Brgds,
Mike
First: Welcome to the forums!
Second: I don't have a vCenter at hand for the moment, but from the looks of this, I think you are missing some permissions on the configuration of the VM. Could you check if there are configuration permissions for the networkadapter that are not checked?
It might be that the document has a missing item (or two ). Also, it is written for version 9 (are you running 9 or 9.5?) and I can't see which vCenter (different vCenters might have different rights also).
Let us know
Brgds,
Mike
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 13, 2017 8:27 pm
- Full Name: Eric Halvonik
- Contact:
Re: Granular Permissions for Replication
Thanks for the reply. I'm using Veeam 9.5 and vCenter 6.5. When you mentioned about permissions on the network adapter, I started to look into that. I didn't see anything under Network settings, but I gave the vCenter account that I'm using for Veeam the Edit Settings permission on the VM and then it worked. I'm not totally comfortable with that because then if that account gets compromised, then that account can edit any/all VMs. The way it was setup, all that account could really do is backup and restore VMs. If this is what is required, we'll have to make a decision on security vs. functionality. I guess I'm looking for some type of definitive answer as to what permission I'm missing. Do you think this is it? Thanks.
-
- Product Manager
- Posts: 8191
- Liked: 1322 times
- Joined: Feb 08, 2013 3:08 pm
- Full Name: Mike Resseler
- Location: Belgium
- Contact:
Re: Granular Permissions for Replication
As you saw in the guide, there are some edit settings on the VM level necessary. Again, I cannot check but when you go to the VM settings, can you see the network adapter under that and the possibility to give those rights?
-
- Novice
- Posts: 3
- Liked: never
- Joined: Dec 13, 2017 8:27 pm
- Full Name: Eric Halvonik
- Contact:
Re: Granular Permissions for Replication
No, I'm not seeing anything related to just the network adapter. I may have to just leave Edit Settings. Thanks for the help.
Who is online
Users browsing this forum: Google [Bot] and 57 guests