Management reporting and documentation
Post Reply
jtupeck
Enthusiast
Posts: 49
Liked: 9 times
Joined: Aug 27, 2013 3:44 pm
Full Name: Jason Tupeck
Contact:

Veeam ONE Dashboard Widget Permissions Issues

Post by jtupeck » Sep 27, 2017 9:40 pm

Good afternoon, All.

I have really been delving into Veeam ONE Reporter recently in an attempt to get some dashboards up and running. My basic goal is this:
  1. Provide User A with Dashboard A containing a variety of Widgets
  1. Provide User B with Dashboard B containing a variety of Widgets
  1. Provide User C with Dashboards A and B and all subsequent Widgets for each Dashboard
As such, I have set up the appropriate user groups in my Active Directory domain and provided these groups with Read Only access to vCenter (tested and verified via vCenter login). Then, using an account granted "Veeam One Administrator", or "Veeam One Read Only" access, I have set up the appropriate dashboards with a variety of widgets. My problem is that when the end user logs into the Veeam Reporter web console, they are unable to see all the widgets in the dashboard.

As a test, I granted the end user account full administrative privileges to vCenter, just to see if that fixed anything. The dashboards remained incomplete, so I removed admin privs from vCenter and then as an additional test, I granted "Veeam ONE Read Only" access to the end user and the problem went away. I got the same result when I granted "Veeam ONE Administraor" privileges. Great...but in addition to now being able to see all the widgets, the end user can now add/modify/delete ALL custom dashboards, as well as potentially make VeeamONE configuration changes. This is obviously undesirable. I only want them to be able to VIEW the dashboards that I have set up for them and all the Widgets on each Dashboard they have access to. Because this is fixed by elevating the user's Veeam ONE server/service level privileges, this tells me is has something to do with permissions at the Veeam ONE server or service level and not at the vCenter level. Else, vCenter admin privileges would have helped.

I opened a support case (#02323892) and have been going back and forth on what is wrong here. Support is telling me now that this has something to do with a combination of vCenter and Veeam ONE permissions, putting most of the blame on the side of vCenter's complexity of permissions that are available as the cause for why the widgets won't appear for the end user accounts. I have requested a list of widgets that won't work unless Veeam ONE "Administrator" or "Read Only" privileges are granted to the user, rather than just being given access to the Active Directory group assigned to the Dashboard, and was told:
"As for a document that gives a breakdown of permission levels and widget/dashboard access - again there are numerous possibilities for that depending on vcenter permissions and permissions group combinations; so such a document is not possible to produce."
I just want to know, what widgets are available to a general user with "Veeam ONE Dashboard Viewer" permissions. The whole point of these dashboards is to provide information to end users that they would not normally have access to. So, why are some widgets not available to view in my environment? Is this happening to anyone else?

Widgets that are confirmed to ONLY be view-able by a "Veeam ONE Administrator" or "Veeam One Read-Only Users" enabled account, so far:
  • Veeam B&R infrastructure > All (leads me to believe the user needs B&R privileges somewhere...but this is undocumented and I have only begun testing on my own)
  • VMware Capacity Planning > All
There may be more that belong in this list, but obviously I am not testing ALL the widgets as there are so many.

My main concern is that I really want to get the B&R and some Capacity Planning widgets in front of certain management WITHOUT giving them access to modify/add dashboards in any way. If anyone has any similar experiences, or know of any reason these two categories of Widgets (or any others you've seen) are not able to be viewed without elevated Veeam ONE privileges, please reply here.

Shestakov
Product Manager
Posts: 7285
Liked: 762 times
Joined: May 21, 2014 11:03 am
Full Name: Nikita Shestakov
Location: Prague
Contact:

Re: Veeam ONE Dashboard Widget Permissions Issues

Post by Shestakov » Sep 29, 2017 2:34 pm

Hello Jason,

I don`t think vSphere permissions have correlation with Veeam ONE Administrator vs. View only permission levels in your case. If data is collected and you set that user A should only view it while user B can edit, it should work for both of them.
I got the same result when I granted "Veeam ONE Administraor" privileges. Great...but in addition to now being able to see all the widgets, the end user can now add/modify/delete ALL custom dashboards, as well as potentially make VeeamONE configuration changes. This is obviously undesirable. I only want them to be able to VIEW the dashboards that I have set up for them and all the Widgets on each Dashboard they have access to.
Indeed, the users supposed to be power-users who can do add dashboards, but not change existing dashboards configurations and Veeam ONE settings.
Multi-Tenant Monitoring and Reporting is explained here.

I`ve asked support team management to assist on the case resolution.

Thanks!

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests