I have really been delving into Veeam ONE Reporter recently in an attempt to get some dashboards up and running. My basic goal is this:
- Provide User A with Dashboard A containing a variety of Widgets
- Provide User B with Dashboard B containing a variety of Widgets
- Provide User C with Dashboards A and B and all subsequent Widgets for each Dashboard
As a test, I granted the end user account full administrative privileges to vCenter, just to see if that fixed anything. The dashboards remained incomplete, so I removed admin privs from vCenter and then as an additional test, I granted "Veeam ONE Read Only" access to the end user and the problem went away. I got the same result when I granted "Veeam ONE Administraor" privileges. Great...but in addition to now being able to see all the widgets, the end user can now add/modify/delete ALL custom dashboards, as well as potentially make VeeamONE configuration changes. This is obviously undesirable. I only want them to be able to VIEW the dashboards that I have set up for them and all the Widgets on each Dashboard they have access to. Because this is fixed by elevating the user's Veeam ONE server/service level privileges, this tells me is has something to do with permissions at the Veeam ONE server or service level and not at the vCenter level. Else, vCenter admin privileges would have helped.
I opened a support case (#02323892) and have been going back and forth on what is wrong here. Support is telling me now that this has something to do with a combination of vCenter and Veeam ONE permissions, putting most of the blame on the side of vCenter's complexity of permissions that are available as the cause for why the widgets won't appear for the end user accounts. I have requested a list of widgets that won't work unless Veeam ONE "Administrator" or "Read Only" privileges are granted to the user, rather than just being given access to the Active Directory group assigned to the Dashboard, and was told:
I just want to know, what widgets are available to a general user with "Veeam ONE Dashboard Viewer" permissions. The whole point of these dashboards is to provide information to end users that they would not normally have access to. So, why are some widgets not available to view in my environment? Is this happening to anyone else?"As for a document that gives a breakdown of permission levels and widget/dashboard access - again there are numerous possibilities for that depending on vcenter permissions and permissions group combinations; so such a document is not possible to produce."
Widgets that are confirmed to ONLY be view-able by a "Veeam ONE Administrator" or "Veeam One Read-Only Users" enabled account, so far:
- Veeam B&R infrastructure > All (leads me to believe the user needs B&R privileges somewhere...but this is undocumented and I have only begun testing on my own)
- VMware Capacity Planning > All
My main concern is that I really want to get the B&R and some Capacity Planning widgets in front of certain management WITHOUT giving them access to modify/add dashboards in any way. If anyone has any similar experiences, or know of any reason these two categories of Widgets (or any others you've seen) are not able to be viewed without elevated Veeam ONE privileges, please reply here.