Comprehensive data protection for all workloads
Post Reply
rogerdu
Expert
Posts: 148
Liked: 11 times
Joined: Aug 20, 2013 1:16 pm
Full Name: Roger Dufour
Contact:

B&R v.7 Accounts, Permissions & Roles

Post by rogerdu » 2 people like this post

I have been asked to recommend a minimum set of Permissions and Roles so that we can get away from assigning a Domain Admin role to Veeam. I find the documentation and posts on this to be somewhat scattered, so I thought I would see what I can garner from the community. Yes I know its been documented but not all in one place and not all for v7... So, here we go.

The Environment (simplified): VMware 5.0 latest patch level, 1 vCenter server, 4 x 5.0 ESXi servers, FC based storage, less than 50 Windows VMs, Veeam 7 with one Backup Server and one Proxy Server (both virtual). All VMs are running Windows 2008 R2 (latest patches).

The firewall ports required are well documented: not an issue.

If you are a large enough shop to require different people doing different parts of the Backup/Restore/Operations, then Veeam supplies built in roles: (shamelessly lifted from http://www.veeam.com/blog/veeam-backup- ... -that.html):

Backup Administrator - Can perform all administrative activities in Veeam Backup & Replication
Backup Operator - Can start and stop existing jobs and perform restore operations
Backup Viewer - Has the “read-only” access to Veeam Backup & Replication – can view existing and performed jobs and review the job session details
Restore Operator - Can perform restore operations using existing backups and replicas

To install Veeam: Local Administrator permissions on the Veeam Backup server to install Veeam Backup & Replication

To run Veeam (lets assume a service account is used):
Root permissions on the source ESX(i) host. *
Write permission on the target folder and share.
If vCenter Server is used, administrator credentials are required. *

The account used to run Veeam Backup Management Service must have database owner role for the VeeamBackup database on the SQL Server instance.
The account used to run Veeam Backup Enterprise Manager must have database owner role for the VeeamBackupReporting database on the SQL Server instance.

* These are VERY sweeping permissions and don't typically conform to "Best Practices"... THIS is where I have issues. Even I don't have that much access directly.

Since VMware has taken the time to provide extensive granularity on what can be specified in roles for who can do what and on what they can be done, I dug a bit more to see what roles were "required" to effectively perform vCenter based backups. (again lifted from the same source):

Privilege Level - vStorage API Virtual Appliance mode - vStorage API Network mode - vStorage API SAN mode
Global - Log event - Log event - Log event
Datastore - Low-level file operations - Low-level file operations - Low-level file operations
Virtual Machine -> State - Create Snapshot, Remove Snapshot - Create Snapshot, Remove Snapshot - Create Snapshot, Remove Snapshot
Virtual Machine -> Configuration - Disk change tracking, Change resource, Add existing disk, Remove disk - Disk change tracking - Disk change tracking, Disk lease
Virtual Machine -> Provisioning - Allow read-only disk access - Allow read-only disk access, Allow virtual machind download - Allow read-only disk access

These are just to perform standard Backup and Recovery functions albeit using 3 different modes of data movement (Virtual Appliance, Network and SAN modes).

Additional permissions required to perform SureBackup jobs and restore to a Virtual lab include:

Privilege Level - Required Permission
Global - Log Event
Datastore - Low-Level File Operation, Remove File, Browse Datastore
Host -> Configuration - Network Configuration, Storage Partition Configuration
Network - Assign Network
Virtual Machine -> Interaction - Power On, Power Off
Virtual Machine -> Configuration - Advanced, Add or Remove Device
Virtual Machine -> Inventory - Remove, Register, Unregister
Resource - Assign Virtual Machine to resource pool, Create Resource Pool, Remove Resource Pool
Folder - Create Folder, Delete Folder
dvPort Group - Create, Delete

Lastly, Active Directory permissions:
  • Local Administrator is required. This requiers the Veeam Service Account to be part of the Local Administrators group. Easily accomplished through a GPO.
  • The 3 services can be run using "Local System Account" (the builtin service account} assuming you are using the SQL Express database: if you are not, the service account must have the "Database Owner" role for the VeeamBackup and VeeamBackupReporting databases on your SQL Server instance(s)
With respect to VSS Integration, Local Administrtor rights are required

Other roles and permissions are required for Exchange and Sharepoint integration. These are explicitly spelled out in the Explorer for Exchange and Explorer for Sharepoint documentation sets.

---------------------------------

Am I missing anything, or is this about all I need to specify at this point?

rogerdu
Expert
Posts: 148
Liked: 11 times
Joined: Aug 20, 2013 1:16 pm
Full Name: Roger Dufour
Contact:

Re: B&R v.7 Accounts, Permissions & Roles

Post by rogerdu »

Are there any other VMware, AD or Veeam permissions that are required?

Thanks in advance.

Roger

Vitaliy S.
Product Manager
Posts: 24273
Liked: 1866 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: B&R v.7 Accounts, Permissions & Roles

Post by Vitaliy S. »

Hello Roger,

We have updated the required permissions document for Veeam B&R v7R2, please take a look: http://www.veeam.com/veeam_backup_7_0_p ... ons_pg.pdf

Thank you!

Post Reply

Who is online

Users browsing this forum: No registered users and 62 guests