vCenter Permissions

[ldplusse]

I want to know more presice what rights Veeam needss for access to VCenter.
My security department does not allow me full administrative rights, as written in the manual.
We have local admin rights on the server that Veeam is installed on.
So can I get detailed information on what rights are required, when you must give as few rights as possible.
Local root is no problem, the issue is only for Vcenter.

Thanks
Lars Kuhlmann

[Vitaliy S.]

Hello, Lars

That's ok, no problem with that! Here you are:

The following set of permissions should be defined for the role of the account used to connect to VirtualCenter:

VCB mode
Global - Log Event

Virtual Machine - Configuration:
Disk Lease

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine - Provisioning:
Allow Read-only Disk Access
Allow Virtual Machine Download

Network mode (service console agent)
Global - Log Event

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Network mode (agentless)
Global - Log Event

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine - Provisioning:
Allow Read-only Disk Access

Note that these permissions should be added at least at the Datacenter level for the backup jobs to complete successfully.
Hope it helps! Please feel free to ask questions if you have any more, would be glad to answer them.

[Gostev]

Also permission to update VM Notes attribute is needed (all backup modes), if you are using functionality to set backup results in VM notes (it is disabled by default).

[Arnold]

Are there any additional permissions required when restoring a VM?

Or do we need to supply root credentials for each ESX server?

We have added our VC server in the Veeam console and the user specified under the service is also the same user that has admin access to VC. Should this be enough?

[Arnold]

Think I may have found my answer:

"Unfortunately the restore can only be done over network at this time, and you are right that restores are slower than backups because of this. The recommendation is to specify service console connection settings for the ESX host you are restoring to (to do this, right-click the ESX host in the Veeam Backup Servers tree)."

So if I do not add these credentials on the ESX servers, the restore will fail?

[Vitaliy S.]

Hello Arnold,

Thank you for re-using the old topic for your question. No, your restores won't fail if you do not provide service console connection credentials.

Please note that you don't have to provide root credentials to your ESX server while doing restores. In this case agentless restore mode will be used. But for a better restore speed, you should specify service console connection settings in the target ESX host's properties.

Thanks!

[afokkema]

What are the permissions required to backup using the Virtual Appliance mode? And is it possible to give the role only access to a couple of VM's in a Folder. So the backup user will only see these VM's instead of all the VM's on that cluster.

[Vitaliy S.]

Here is the set of permissions that should be defined for the role of the account used to connect to vCenter:

vStorage API - Virtual Appliance mode

Global:
Log Event

Datastore:
Low-level file operations

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine – Configuration:
Disk Change tracking
Change resource
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow read-only disk access

And I believe you may play with the vCenter roles to define the access policy to your specific folder or VMs. Thanks!

[skayser]

Thanks for sharing the set of permissions. Are they documented somewhere (apart from here )? Couldn't find them in the user guide. Further, A 'Test credentials/privileges' button in the SOAP credentials dialog would be very helpful to ensure correct privileges before actually trying to run backups.

Sebastian

[Vitaliy S.]

Sebastian,

Veeam Community forum is the best User Guide ever but that's a good idea to put this information to all the guide papers as well.

Thank you for your feedback!

[tsands]

If I want to add a server to replicate to in VB&R, and the host is part of a vCenter - can I login directly to the ESX host? What permissions are necessary?

[Vitaliy S.]

Tyson, if you want to use Service Console on your target ESX host, then you should be using either root account or any sudoer to connect to ESX host directly.

If you're referring to vCenter Server permissions, unfortunately, I do not have this list, but adding a granular permission which allows registering VMs in Inventory to the list posted above should be sufficient.

[derekross]

Just added all of the above permissions (all 3 modes in 1 role) to a vcenter account located in a folder. The folder contains a cluster. When trying to do a test backup:

Validating task
Unable to process VM 'VMNAME' ('vm-9493'). Config file is not found.

VBR: 5.0.1.198
vSphere: ESXi 4.1.1

backups work fine using my 'admin' account, we are trying to move away from that.

[Vitaliy S.]

Derek, please use this new list to configure your connection account: vCenter Server Granular Permissions (v5)