-
- Novice
- Posts: 4
- Liked: never
- Joined: Jun 18, 2009 6:43 am
- Full Name: Lars Kuhlmann
- Contact:
vCenter Permissions
I want to know more presice what rights Veeam needss for access to VCenter.
My security department does not allow me full administrative rights, as written in the manual.
We have local admin rights on the server that Veeam is installed on.
So can I get detailed information on what rights are required, when you must give as few rights as possible.
Local root is no problem, the issue is only for Vcenter.
Thanks
Lars Kuhlmann
My security department does not allow me full administrative rights, as written in the manual.
We have local admin rights on the server that Veeam is installed on.
So can I get detailed information on what rights are required, when you must give as few rights as possible.
Local root is no problem, the issue is only for Vcenter.
Thanks
Lars Kuhlmann
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: VCenter Permissions
Hello, Lars
That's ok, no problem with that! Here you are:
The following set of permissions should be defined for the role of the account used to connect to VirtualCenter:
VCB mode
Global - Log Event
Virtual Machine - Configuration:
Disk Lease
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine - Provisioning:
Allow Read-only Disk Access
Allow Virtual Machine Download
Network mode (service console agent)
Global - Log Event
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Network mode (agentless)
Global - Log Event
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine - Provisioning:
Allow Read-only Disk Access
Note that these permissions should be added at least at the Datacenter level for the backup jobs to complete successfully.
Hope it helps! Please feel free to ask questions if you have any more, would be glad to answer them.
That's ok, no problem with that! Here you are:
The following set of permissions should be defined for the role of the account used to connect to VirtualCenter:
VCB mode
Global - Log Event
Virtual Machine - Configuration:
Disk Lease
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine - Provisioning:
Allow Read-only Disk Access
Allow Virtual Machine Download
Network mode (service console agent)
Global - Log Event
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Network mode (agentless)
Global - Log Event
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine - Provisioning:
Allow Read-only Disk Access
Note that these permissions should be added at least at the Datacenter level for the backup jobs to complete successfully.
Hope it helps! Please feel free to ask questions if you have any more, would be glad to answer them.
-
- Chief Product Officer
- Posts: 31779
- Liked: 7279 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: VCenter Permissions
Also permission to update VM Notes attribute is needed (all backup modes), if you are using functionality to set backup results in VM notes (it is disabled by default).
-
- Enthusiast
- Posts: 35
- Liked: never
- Joined: May 14, 2010 9:33 am
- Full Name: Arnold
- Contact:
Re: vCenter Permissions
Are there any additional permissions required when restoring a VM?
Or do we need to supply root credentials for each ESX server?
We have added our VC server in the Veeam console and the user specified under the service is also the same user that has admin access to VC. Should this be enough?
Or do we need to supply root credentials for each ESX server?
We have added our VC server in the Veeam console and the user specified under the service is also the same user that has admin access to VC. Should this be enough?
-
- Enthusiast
- Posts: 35
- Liked: never
- Joined: May 14, 2010 9:33 am
- Full Name: Arnold
- Contact:
Re: vCenter Permissions
Think I may have found my answer:
"Unfortunately the restore can only be done over network at this time, and you are right that restores are slower than backups because of this. The recommendation is to specify service console connection settings for the ESX host you are restoring to (to do this, right-click the ESX host in the Veeam Backup Servers tree)."
So if I do not add these credentials on the ESX servers, the restore will fail?
"Unfortunately the restore can only be done over network at this time, and you are right that restores are slower than backups because of this. The recommendation is to specify service console connection settings for the ESX host you are restoring to (to do this, right-click the ESX host in the Veeam Backup Servers tree)."
So if I do not add these credentials on the ESX servers, the restore will fail?
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: vCenter Permissions
Hello Arnold,
Thank you for re-using the old topic for your question. No, your restores won't fail if you do not provide service console connection credentials.
Please note that you don't have to provide root credentials to your ESX server while doing restores. In this case agentless restore mode will be used. But for a better restore speed, you should specify service console connection settings in the target ESX host's properties.
Thanks!
Thank you for re-using the old topic for your question. No, your restores won't fail if you do not provide service console connection credentials.
Please note that you don't have to provide root credentials to your ESX server while doing restores. In this case agentless restore mode will be used. But for a better restore speed, you should specify service console connection settings in the target ESX host's properties.
Thanks!
-
- Service Provider
- Posts: 23
- Liked: 3 times
- Joined: Feb 13, 2009 2:00 pm
- Full Name: Arne Fokkema
- Location: Netherlands
- Contact:
Re: vCenter Permissions
What are the permissions required to backup using the Virtual Appliance mode? And is it possible to give the role only access to a couple of VM's in a Folder. So the backup user will only see these VM's instead of all the VM's on that cluster.
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: vCenter Permissions
Here is the set of permissions that should be defined for the role of the account used to connect to vCenter:
vStorage API - Virtual Appliance mode
Global:
Log Event
Datastore:
Low-level file operations
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine – Configuration:
Disk Change tracking
Change resource
Add existing disk
Remove disk
Virtual Machine – Provisioning:
Allow read-only disk access
And I believe you may play with the vCenter roles to define the access policy to your specific folder or VMs. Thanks!
vStorage API - Virtual Appliance mode
Global:
Log Event
Datastore:
Low-level file operations
Virtual Machine - State:
Create Snapshot
Remove Snapshot
Virtual Machine – Configuration:
Disk Change tracking
Change resource
Add existing disk
Remove disk
Virtual Machine – Provisioning:
Allow read-only disk access
And I believe you may play with the vCenter roles to define the access policy to your specific folder or VMs. Thanks!
-
- Enthusiast
- Posts: 27
- Liked: never
- Joined: Jul 13, 2010 8:28 am
- Full Name: Sebastian Kayser
Re: vCenter Permissions
Thanks for sharing the set of permissions. Are they documented somewhere (apart from here )? Couldn't find them in the user guide. Further, A 'Test credentials/privileges' button in the SOAP credentials dialog would be very helpful to ensure correct privileges before actually trying to run backups.
Sebastian
Sebastian
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: vCenter Permissions
Sebastian,
Veeam Community forum is the best User Guide ever but that's a good idea to put this information to all the guide papers as well.
Thank you for your feedback!
Veeam Community forum is the best User Guide ever but that's a good idea to put this information to all the guide papers as well.
Thank you for your feedback!
-
- Novice
- Posts: 5
- Liked: never
- Joined: Feb 03, 2011 2:06 pm
- Full Name: Tyson
- Location: Florida, USA
- Contact:
Re: vCenter Permissions
If I want to add a server to replicate to in VB&R, and the host is part of a vCenter - can I login directly to the ESX host? What permissions are necessary?
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: vCenter Permissions
Tyson, if you want to use Service Console on your target ESX host, then you should be using either root account or any sudoer to connect to ESX host directly.
If you're referring to vCenter Server permissions, unfortunately, I do not have this list, but adding a granular permission which allows registering VMs in Inventory to the list posted above should be sufficient.
If you're referring to vCenter Server permissions, unfortunately, I do not have this list, but adding a granular permission which allows registering VMs in Inventory to the list posted above should be sufficient.
-
- Novice
- Posts: 8
- Liked: never
- Joined: Jul 06, 2010 1:07 pm
- Contact:
Re: vCenter Permissions
Just added all of the above permissions (all 3 modes in 1 role) to a vcenter account located in a folder. The folder contains a cluster. When trying to do a test backup:
Validating task
Unable to process VM 'VMNAME' ('vm-9493'). Config file is not found.
VBR: 5.0.1.198
vSphere: ESXi 4.1.1
backups work fine using my 'admin' account, we are trying to move away from that.
Validating task
Unable to process VM 'VMNAME' ('vm-9493'). Config file is not found.
VBR: 5.0.1.198
vSphere: ESXi 4.1.1
backups work fine using my 'admin' account, we are trying to move away from that.
-
- VP, Product Management
- Posts: 27364
- Liked: 2794 times
- Joined: Mar 30, 2009 9:13 am
- Full Name: Vitaliy Safarov
- Contact:
Re: vCenter Permissions
Derek, please use this new list to configure your connection account: vCenter Server Granular Permissions (v5)
Who is online
Users browsing this forum: Baidu [Spider], Bing [Bot], Google [Bot] and 99 guests