-
- Veeam ProPartner
- Posts: 20
- Liked: 7 times
- Joined: Jul 06, 2016 11:25 am
- Full Name: Christian Desch
- Contact:
Powershell with viewer-role fails
Hi,
the PowerShell Snap-in (v9) can only be started/installed, if the user has Admin-Role within Veeam ? Why ?
I need only "Get-VBR-Commands" , and i want to use a Veeam-Viewer-Role User ?
Has anybody an idea ? We do not want to give the monitoring userr who's running the powershell scripts Admin-Role-Permissions within B&R Gui.
Thx, Chris
the PowerShell Snap-in (v9) can only be started/installed, if the user has Admin-Role within Veeam ? Why ?
I need only "Get-VBR-Commands" , and i want to use a Veeam-Viewer-Role User ?
Has anybody an idea ? We do not want to give the monitoring userr who's running the powershell scripts Admin-Role-Permissions within B&R Gui.
Thx, Chris
-
- VP, Product Management
- Posts: 27114
- Liked: 2720 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Powershell with viewer-role fails
Hi Chris,
The majority of available PS cmdlets require admin account, cause they perform management actions on the backup server. That's why role verification is performed right in the beginning, when you load the snap-in. Currently, granular permissions for each cmdlet are not available, but thanks for the feedback!
As a workaround you may consider using Veeam ONE that would allow read-only access to Veeam B&R server.
Hope this helps!
The majority of available PS cmdlets require admin account, cause they perform management actions on the backup server. That's why role verification is performed right in the beginning, when you load the snap-in. Currently, granular permissions for each cmdlet are not available, but thanks for the feedback!
As a workaround you may consider using Veeam ONE that would allow read-only access to Veeam B&R server.
Hope this helps!
-
- Enthusiast
- Posts: 38
- Liked: 7 times
- Joined: Nov 28, 2011 9:05 pm
- Full Name: Lars Wulf
- Contact:
Re: Powershell with viewer-role fails
I just ran into the same issue.
Would be really nice if there would be an option to run Get commands without granting Admin permissions within Veeam.
And Veeam One is no option for me as it requires aid version to monitor Veeam Backup & Replication.
Would be really nice if there would be an option to run Get commands without granting Admin permissions within Veeam.
And Veeam One is no option for me as it requires aid version to monitor Veeam Backup & Replication.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Sep 30, 2020 12:06 am
- Full Name: Eric Cheng
- Contact:
Re: Powershell with viewer-role fails
Morning, we are interesting to sync up Veeam job information to our CMDB system. May possible to have ETA time for complete this issue?Vitaliy S. wrote: ↑Jul 12, 2016 4:34 pm Hi Chris,
The majority of available PS cmdlets require admin account, cause they perform management actions on the backup server. That's why role verification is performed right in the beginning, when you load the snap-in. Currently, granular permissions for each cmdlet are not available, but thanks for the feedback!
As a workaround you may consider using Veeam ONE that would allow read-only access to Veeam B&R server.
Hope this helps!
-
- Product Manager
- Posts: 8678
- Liked: 2276 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Powershell with viewer-role fails
It‘s not a issue, it‘s a feature which is not implemented
Count me in for this Feature request:
+1 for granular role permissions for cmdlet commands.
We have some scripts to create some html files. This scripts do not need administrative permissions. Only get a list of the restore points from all of our backup systems (veeam and others) and put it on one page.
Count me in for this Feature request:
+1 for granular role permissions for cmdlet commands.
We have some scripts to create some html files. This scripts do not need administrative permissions. Only get a list of the restore points from all of our backup systems (veeam and others) and put it on one page.
Product Management Analyst @ Veeam Software
-
- VP, Product Management
- Posts: 27114
- Liked: 2720 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: Powershell with viewer-role fails
Hi Eric,
No ETA yet, but I have forwarded this topic to the corresponding PM for review.
Thanks!
No ETA yet, but I have forwarded this topic to the corresponding PM for review.
Thanks!
-
- Veeam Software
- Posts: 1918
- Liked: 636 times
- Joined: Sep 25, 2019 10:32 am
- Full Name: Oleg Feoktistov
- Contact:
Re: Powershell with viewer-role fails
@Mildur,
Not yet planned for vNext, but consider your +1 counted.
Thanks!
Not yet planned for vNext, but consider your +1 counted.
Thanks!
-
- Service Provider
- Posts: 4
- Liked: never
- Joined: Aug 18, 2021 9:33 am
- Full Name: Marc
- Contact:
Re: Powershell with viewer-role fails
Hi,
Please add another +1 for this feature. We need to collect information on Veeam backups using Powershell, and don't want to use a full Veeam administrator account to do this.
Cheers,
Marc
Please add another +1 for this feature. We need to collect information on Veeam backups using Powershell, and don't want to use a full Veeam administrator account to do this.
Cheers,
Marc
-
- Veeam Software
- Posts: 1918
- Liked: 636 times
- Joined: Sep 25, 2019 10:32 am
- Full Name: Oleg Feoktistov
- Contact:
Re: Powershell with viewer-role fails
Thanks, Marc. Noted!
-
- Influencer
- Posts: 11
- Liked: never
- Joined: Feb 20, 2018 10:06 am
- Contact:
Re: Powershell with viewer-role fails
Another +1. I have a number of scripts that collect VBR session information, I'd much rather not have to run them in an elevated PS session!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Oct 28, 2021 2:30 pm
- Contact:
Re: Powershell with viewer-role fails
Also +1 for this feature, we use powershell to properly monitor backup copy jobs and would like to do so without granting admin permissions.
-
- Enthusiast
- Posts: 55
- Liked: 2 times
- Joined: May 09, 2012 12:52 pm
- Full Name: Stefan Holzwarth
- Contact:
Re: Powershell with viewer-role fails
Same for us add +100 for this feature. Much needed for operating and monitoring a safe backup environment.
-
- Veeam Software
- Posts: 1161
- Liked: 308 times
- Joined: Jun 28, 2016 12:12 pm
- Contact:
Re: Powershell with viewer-role fails
(Note: This post is not a commentary on if/when such functionality will be implemented, but just wanted to share a solution you can do "now" while the feature is being discussed. I have no say on feature implementation, but don't want to leave you all hanging )
As a workaround folks, consider using GPOs to lock down the current session for your users.
New-PSSessionConfigurationFile: https://docs.microsoft.com/en-us/powers ... rshell-7.2
Session Configurations: https://docs.microsoft.com/en-us/powers ... rshell-7.2
Since Veeam has a module since v11, it should work to import the module and limit the session. You can edit the Powershell profile for your HelpDesk users to force loading such configurations and lock down the file from editing with Windows permissions.
For example, a quick one I threw together:
Trying to run an unapproved cmdlet results in the following:
Custom Functions work as expected:
I know it's not ideal, but until some decision or progress is made on the request, you can do this with native Powershell and Windows GPOs today.
I believe you can edit your PSProfile to force loading a specific session configuration for help desks and other such basic reporting operators so it will auto-load the session. I entered a PSSession for convenience sake, but with profile editing on users, I think this would solve it pretty handily. There are methods to escape the limited shell, but for most Help Desk scenarios, this ought be fine. You might consider aliasing Exit to terminate the session as a safety catch for such users so that the most common escape isn't possible and it just loads a new session with the same limited config.
As a workaround folks, consider using GPOs to lock down the current session for your users.
New-PSSessionConfigurationFile: https://docs.microsoft.com/en-us/powers ... rshell-7.2
Session Configurations: https://docs.microsoft.com/en-us/powers ... rshell-7.2
Since Veeam has a module since v11, it should work to import the module and limit the session. You can edit the Powershell profile for your HelpDesk users to force loading such configurations and lock down the file from editing with Windows permissions.
For example, a quick one I threw together:
Code: Select all
PS C:\Users\Administrator> New-PSSessionConfigurationFile -ModulesToImport Veeam.Backup.Powershell -VisibleCmdlets ('Get
-VBRJob','Get-VBRBackupSession','Get-VBRComputerBackupJob','Get-VBRComputerBackupSession','Get-VBRTaskSession') -Languag
eMode FullLanguage -SessionType RestrictedRemoteServer -Path "C:\temp\VeeamTemp.pssc"
PS C:\Users\Administrator> Register-PSSessionConfiguration -Name VeeamRestricted -ShowSecurityDescriptorUI -Path C:\Temp
\VeeamTemp.pssc
WARNING: Register-PSSessionConfiguration may need to restart the WinRM service if a configuration using this name has
recently been unregistered, certain system data structures may still be cached. In that case, a restart of WinRM may be
required.
All WinRM sessions connected to Windows PowerShell session configurations, such as Microsoft.PowerShell and session
configurations that are created with the Register-PSSessionConfiguration cmdlet, are disconnected.
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Plugin
Type Keys Name
---- ---- ----
Container {Name=VeeamRestricted} VeeamRestricted
WARNING: The names of some imported commands from the module 'Veeam.Backup.Powershell' include unapproved verbs that
might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with
the Verbose parameter. For a list of approved verbs, type Get-Verb.
PS C:\Users\Administrator> Enter-PSSession -ComputerName localhost -ConfigurationName VeeamRestricted
WARNING: The names of some imported commands from the module 'Veeam.Backup.Powershell' include unapproved verbs that
might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with
the Verbose parameter. For a list of approved verbs, type Get-Verb.
[localhost]: PS>Get-Command
CommandType Name Version Source
----------- ---- ------- ------
Function Exit-PSSession
Function Get-Command
Function Get-FormatData
Function Get-Help
Function Measure-Object
Function Out-Default
Function Select-Object
Cmdlet Get-VBRBackupSession 1.0 Veeam.Backup.Powershell
Cmdlet Get-VBRComputerBackupJob 1.0 Veeam.Backup.Powershell
Cmdlet Get-VBRJob 1.0 Veeam.Backup.Powershell
Cmdlet Get-VBRTaskSession 1.0 Veeam.Backup.Powershell
Trying to run an unapproved cmdlet results in the following:
Code: Select all
[localhost]: PS>Get-VBRServer
The term 'Get-VBRServer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
+ CategoryInfo : ObjectNotFound: (Get-VBRServer:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
[localhost]: PS>
Code: Select all
[localhost]: P> function Show-VBRJobNames {
>> $jobs = Get-VBRJob
>> Foreach($j in $jobs){
>> $j.name
>> }
>> }
[localhost]: PS>Show-VBRJobNames
WARNING: This cmdlet is no longer supported for computer backup jobs. Use "Get-VBRComputerBackupJob" instead.
vmwware-gfs
offloadbackup
pstesting
vmware-fi-nixsobr
encrypted-backup
vmware-pervm-ffi
per-backup-chain
offloadbackup_clone1
bfss-job
deleted-vm-immutability-test
vmware-ffi-day-retention
I believe you can edit your PSProfile to force loading a specific session configuration for help desks and other such basic reporting operators so it will auto-load the session. I entered a PSSession for convenience sake, but with profile editing on users, I think this would solve it pretty handily. There are methods to escape the limited shell, but for most Help Desk scenarios, this ought be fine. You might consider aliasing Exit to terminate the session as a safety catch for such users so that the most common escape isn't possible and it just loads a new session with the same limited config.
David Domask | Product Management: Principal Analyst
Re: Powershell with viewer-role fails
+1
We would also appreciate this being implemented. We just need to read some Get-... cmdlets to check current status for monitoring.
We would also appreciate this being implemented. We just need to read some Get-... cmdlets to check current status for monitoring.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Oct 07, 2020 4:03 pm
- Full Name: Adrian James
- Contact:
Re: Powershell with viewer-role fails
+1. I can't believe this is even a thing. The majority of read only accounts are for monitoring, and most monitoring uses automation, so... pretty much useless having a read only role without PS access.
Who is online
Users browsing this forum: No registered users and 14 guests