Comprehensive data protection for all workloads
Post Reply
gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 14, 2016 9:41 am

Hi
Is it possible to create some kind of rule within Veeam B&R to avoid deleting VMs from the console?
Even if an admin is the user at the time?
A denied permission or similar?

foggy
Veeam Software
Posts: 18029
Liked: 1532 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by foggy » Nov 14, 2016 9:54 am

Carlos, could you please clarify what VM deletion are you trying to prevent? Do you mean deletion of backups from Veeam B&R UI or VMs from the jobs or something else?

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 14, 2016 11:18 am

We've had a case where an admin deleted a replica VM from Veeam's replica repository but it turned out to be a production server
(seems it was a replica VM back in the days but was failed over to production)
Veeam deleted this 'replica' server with no questions, it shutdown the server first and delete it from disk next, no traces left.
We want to avoid this happening in the future so my post here, is there a way to create a rule maybe, within Veeam which stops anybody from deleting a VM?

P.Tide
Product Manager
Posts: 5181
Liked: 447 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by P.Tide » Nov 14, 2016 3:27 pm

Would it be sufficient to prompt the user to shutdown the VM manually first instead of shutting it down automatically? Even with password or a special role there is no guarantee that someone who has the privilege to delete VMs won't make the same mistake.

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 14, 2016 4:34 pm

A prompt would be somethign, not what i'm looking for but at least some type of step before deletion.
What I've noticed is that, for instance, although I log to the V&R server with my admin account, the actions towards the VMWare cluster are done in the background by the Veeam account it uses to connect to VMWare servers which has full permissions.
So modifying permissions in VMWare to this Veeam account would mean restricting Veeam doing its work, hence i posted this hoping there's Veeam 'permission' which could limit my admin account .... maybe a long shot?

DaStivi
Service Provider
Posts: 117
Liked: 11 times
Joined: Jun 30, 2015 9:13 am
Full Name: Stephan Lang
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by DaStivi » Nov 15, 2016 8:45 am

am i wrong, when doing a failover and finishing all processes the vm disapears from Veeam console? as with a instantVM recovery...
maybe another thought, when this was an production vm, hopefully on a productive datastore, is there an backup?! :)

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 15, 2016 12:07 pm

Thanks for your input,
Dastivi, im not going to discuss that,
I described that scenario as a possible cause for our incident but it could have been something else.
I'm looking for a solution to avoid anything similar happening again, an admin deleting a production VM from Veeam's console
Some Veeam rule set, permissions, rule applied to VM tag.... a third party tool...
I'm assuming this doesn't exist as I'm not seeing any solution from anybody.

foggy
Veeam Software
Posts: 18029
Liked: 1532 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by foggy » Nov 15, 2016 12:49 pm

You're looking for restrictions on a Veeam B&R console side, but are these same admins allowed to login to vSphere client and removing production VMs from there?

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 15, 2016 1:15 pm

yes, they are

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 15, 2016 2:03 pm

Having said that, i can operate the Veeam console with my admin account but the actions in vsphere show as created by Veeam's account.

What about generating a pop up window in Veeam console indicating the server you want to delete is powered on?

at least that'd make an admin think twice, he's working on a running server not a powered off replica

can this be done?

foggy
Veeam Software
Posts: 18029
Liked: 1532 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by foggy » Nov 15, 2016 2:20 pm

This is exactly the prompt Pavel has suggested above.

gyrosc0pe
Novice
Posts: 7
Liked: never
Joined: Sep 07, 2016 10:04 am
Full Name: Carlos robles
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by gyrosc0pe » Nov 15, 2016 2:21 pm

And how is this done?

foggy
Veeam Software
Posts: 18029
Liked: 1532 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Prevent even admins from deleting a VM from Veeam

Post by foggy » Nov 15, 2016 2:24 pm

This was mentioned as a probable future improvement, not as currently available functionality.

Post Reply

Who is online

Users browsing this forum: Dima P. and 40 guests