-
- Novice
- Posts: 7
- Liked: 1 time
- Joined: Sep 30, 2022 12:10 pm
- Full Name: Justin Izzard
- Contact:
Feature Request: Reduce privileges required in VBR and vCenter
I would like to request that Veeam ONE supports a read-only level of permission in both VBR and vCenter. Our use case is that Veeam ONE is a dashboard, reporting, and alerting tool only. We do not intend on using it to run any remediation in either VBR or vCenter. Therefore the user Veeam ONE uses to connect to VBR and vCenter can follow the principle of least privilege and be granted only read-only access.
The two forum posts below are asking similar questions.
veeam-one-f28/read-only-service-account ... 65753.html
veeam-one-f28/security-q-connecting-vee ... 84573.html
The two forum posts below are asking similar questions.
veeam-one-f28/read-only-service-account ... 65753.html
veeam-one-f28/security-q-connecting-vee ... 84573.html
-
- Veeam Software
- Posts: 731
- Liked: 186 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Hello Justin,
From this page for vSphere:
From this page for VBR:
The account must have WMI access to collect the data and there is no other requirement.
Could you please provide a bit more information about the permissions you do not want to grant?
Thanks
From this page for vSphere:
So read-only is enough. If you do not provide the additional privileges, you will not collect the information specified in each section.The account used to connect vCenter Server and ESXi hosts must have the Read Only role and the following additional privileges...
From this page for VBR:
Veeam ONE agent is required for intelligent diagnostic features and remediate actions in the first case and no other way to collect the data in the second case.You must use the account with local Administrator permissions in the following cases:
If you plan to install Veeam ONE agent on Veeam Backup & Replication server.
If machines that run Veeam ONE server and Veeam Backup & Replication server belong to different domains or workgroups.
The account must have WMI access to collect the data and there is no other requirement.
Could you please provide a bit more information about the permissions you do not want to grant?
Thanks
-
- Novice
- Posts: 7
- Liked: 1 time
- Joined: Sep 30, 2022 12:10 pm
- Full Name: Justin Izzard
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Thanks @RomanK. I think that addresses the question on the vSphere side of things.
The permission we do not want to grant is any permission that would allow Veeam ONE to modify or manage VBR. Like I mentioned, we want the tool to be a dashboard, monitoring, and alerting tool only. As such we do not want the account it uses to connect to VBR to have any privileges other than read-only. We are trying not to grant this permission from the page you linked for VBR:
The permission we do not want to grant is any permission that would allow Veeam ONE to modify or manage VBR. Like I mentioned, we want the tool to be a dashboard, monitoring, and alerting tool only. As such we do not want the account it uses to connect to VBR to have any privileges other than read-only. We are trying not to grant this permission from the page you linked for VBR:
The account used to connect Veeam Backup & Replication or Veeam Backup Enterprise Manager servers must:
Have the Veeam Backup Administrator role assigned.
This role must be assigned to the account on the machine that run Veeam Backup & Replication. If you connect Veeam Backup Enterprise Manager, the account must have this role assigned on all underlying Veeam Backup & Replication servers.
-
- Veeam Software
- Posts: 731
- Liked: 186 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Hello Justin,
Thanks for the clarification. I already asked our QA team to do some tests with fewer privileges to understand what is collected under the backup administrator.
Some data is already collected in the labs under the user with WMI access and without access to the VBR console. Will update this thread as soon as I get all results.
Thanks
Thanks for the clarification. I already asked our QA team to do some tests with fewer privileges to understand what is collected under the backup administrator.
Some data is already collected in the labs under the user with WMI access and without access to the VBR console. Will update this thread as soon as I get all results.
Thanks
-
- Novice
- Posts: 7
- Liked: 1 time
- Joined: Sep 30, 2022 12:10 pm
- Full Name: Justin Izzard
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Any news from the QA team regarding their testing with fewer privileges?
-
- Veeam Software
- Posts: 731
- Liked: 186 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Hello Justin,
The current state is still the same the user with WMI access and without access to the VBR console can collect the data. However, tests like that and changing the official documentation are planned closer to the GA release as they must cover new features and changes.
As I mentioned previously administrator permissions are required for features like VID and to run remediate actions. So the official documentation will not be changed in terms of the requirements. However, we will try to provide more details and maybe find additional considerations about feature losses. As for now, there is no such information, unfortunately.
Thanks
The current state is still the same the user with WMI access and without access to the VBR console can collect the data. However, tests like that and changing the official documentation are planned closer to the GA release as they must cover new features and changes.
As I mentioned previously administrator permissions are required for features like VID and to run remediate actions. So the official documentation will not be changed in terms of the requirements. However, we will try to provide more details and maybe find additional considerations about feature losses. As for now, there is no such information, unfortunately.
Thanks
-
- Novice
- Posts: 7
- Liked: 1 time
- Joined: Sep 30, 2022 12:10 pm
- Full Name: Justin Izzard
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
@RomanK, Our Veeam deployment is to the point where I have had a chance to start setting up Veeam ONE. I have created an unprivileged user account for WMI access following https://helpcenter.veeam.com/docs/one/d ... ml?ver=120. The only way I am able to execute WMI/WQL queries is if I grant this user Veeam Backup Administrator permissions in the VBR console. I have tested with the user having no access to the VBR console and granting Veeam Backup Viewer, neither of which worked.
Do you or the QA team have any details on additional steps to grant access to the root\VeeamBS WMI namespace to an unprivileged user account?
We're running VBR version 12.1.1.56 and Veeam ONE 12.1.0.3208.
Do you or the QA team have any details on additional steps to grant access to the root\VeeamBS WMI namespace to an unprivileged user account?
We're running VBR version 12.1.1.56 and Veeam ONE 12.1.0.3208.
-
- Veeam Software
- Posts: 731
- Liked: 186 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Hello Justin,
Finally, we've finished testing. Currently, two rules are applied:
Running select is required to get instance data, but we cannot do that for the VBR Viewer.
Thanks
Finally, we've finished testing. Currently, two rules are applied:
- Local administrator group members on the VBR machine are always VBR administrators.
- If the user is not a machine administrator, we cannot use this account to add VBR because there is no WMI access.
Running select is required to get instance data, but we cannot do that for the VBR Viewer.
Thanks
-
- Novice
- Posts: 7
- Liked: 1 time
- Joined: Sep 30, 2022 12:10 pm
- Full Name: Justin Izzard
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Thank you for the follow up. Can you log this as a feature request to reduce the permissions required to be an unprivileged local user + VBR Backup Viewer?So the current documentation is correct and we need "local user + WMI+ perf + event + VBR administrator" or local administrator member.
-
- Veeam Software
- Posts: 731
- Liked: 186 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: Feature Request: Reduce privileges required in VBR and vCenter
Hello Justin,
Of course, the feature request was logged in our system but no promises or ETA as usual.
Thanks
Of course, the feature request was logged in our system but no promises or ETA as usual.
Thanks
Who is online
Users browsing this forum: No registered users and 1 guest