The Environment (simplified): VMware 5.0 latest patch level, 1 vCenter server, 4 x 5.0 ESXi servers, FC based storage, less than 50 Windows VMs, Veeam 7 with one Backup Server and one Proxy Server (both virtual). All VMs are running Windows 2008 R2 (latest patches).
The firewall ports required are well documented: not an issue.
If you are a large enough shop to require different people doing different parts of the Backup/Restore/Operations, then Veeam supplies built in roles: (shamelessly lifted from http://www.veeam.com/blog/veeam-backup- ... -that.html):
Backup Administrator - Can perform all administrative activities in Veeam Backup & Replication
Backup Operator - Can start and stop existing jobs and perform restore operations
Backup Viewer - Has the “read-only” access to Veeam Backup & Replication – can view existing and performed jobs and review the job session details
Restore Operator - Can perform restore operations using existing backups and replicas
To install Veeam: Local Administrator permissions on the Veeam Backup server to install Veeam Backup & Replication
To run Veeam (lets assume a service account is used):
Root permissions on the source ESX(i) host. *
Write permission on the target folder and share.
If vCenter Server is used, administrator credentials are required. *
The account used to run Veeam Backup Management Service must have database owner role for the VeeamBackup database on the SQL Server instance.
The account used to run Veeam Backup Enterprise Manager must have database owner role for the VeeamBackupReporting database on the SQL Server instance.
* These are VERY sweeping permissions and don't typically conform to "Best Practices"... THIS is where I have issues. Even I don't have that much access directly.
Since VMware has taken the time to provide extensive granularity on what can be specified in roles for who can do what and on what they can be done, I dug a bit more to see what roles were "required" to effectively perform vCenter based backups. (again lifted from the same source):
Privilege Level - vStorage API Virtual Appliance mode - vStorage API Network mode - vStorage API SAN mode
Global - Log event - Log event - Log event
Datastore - Low-level file operations - Low-level file operations - Low-level file operations
Virtual Machine -> State - Create Snapshot, Remove Snapshot - Create Snapshot, Remove Snapshot - Create Snapshot, Remove Snapshot
Virtual Machine -> Configuration - Disk change tracking, Change resource, Add existing disk, Remove disk - Disk change tracking - Disk change tracking, Disk lease
Virtual Machine -> Provisioning - Allow read-only disk access - Allow read-only disk access, Allow virtual machind download - Allow read-only disk access
These are just to perform standard Backup and Recovery functions albeit using 3 different modes of data movement (Virtual Appliance, Network and SAN modes).
Additional permissions required to perform SureBackup jobs and restore to a Virtual lab include:
Privilege Level - Required Permission
Global - Log Event
Datastore - Low-Level File Operation, Remove File, Browse Datastore
Host -> Configuration - Network Configuration, Storage Partition Configuration
Network - Assign Network
Virtual Machine -> Interaction - Power On, Power Off
Virtual Machine -> Configuration - Advanced, Add or Remove Device
Virtual Machine -> Inventory - Remove, Register, Unregister
Resource - Assign Virtual Machine to resource pool, Create Resource Pool, Remove Resource Pool
Folder - Create Folder, Delete Folder
dvPort Group - Create, Delete
Lastly, Active Directory permissions:
- Local Administrator is required. This requiers the Veeam Service Account to be part of the Local Administrators group. Easily accomplished through a GPO.
- The 3 services can be run using "Local System Account" (the builtin service account} assuming you are using the SQL Express database: if you are not, the service account must have the "Database Owner" role for the VeeamBackup and VeeamBackupReporting databases on your SQL Server instance(s)
Other roles and permissions are required for Exchange and Sharepoint integration. These are explicitly spelled out in the Explorer for Exchange and Explorer for Sharepoint documentation sets.
Am I missing anything, or is this about all I need to specify at this point?