Comprehensive data protection for all workloads
Post Reply
ldplusse
Novice
Posts: 4
Liked: never
Joined: Jun 18, 2009 6:43 am
Full Name: Lars Kuhlmann
Contact:

vCenter Permissions

Post by ldplusse »

I want to know more presice what rights Veeam needss for access to VCenter.
My security department does not allow me full administrative rights, as written in the manual.
We have local admin rights on the server that Veeam is installed on.
So can I get detailed information on what rights are required, when you must give as few rights as possible.
Local root is no problem, the issue is only for Vcenter.

Thanks
Lars Kuhlmann
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: VCenter Permissions

Post by Vitaliy S. »

Hello, Lars

That's ok, no problem with that! Here you are:

The following set of permissions should be defined for the role of the account used to connect to VirtualCenter:

VCB mode
Global - Log Event

Virtual Machine - Configuration:
Disk Lease

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine - Provisioning:
Allow Read-only Disk Access
Allow Virtual Machine Download

Network mode (service console agent)
Global - Log Event

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Network mode (agentless)
Global - Log Event

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine - Provisioning:
Allow Read-only Disk Access

Note that these permissions should be added at least at the Datacenter level for the backup jobs to complete successfully.
Hope it helps! Please feel free to ask questions if you have any more, would be glad to answer them.
Gostev
Chief Product Officer
Posts: 31793
Liked: 7295 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VCenter Permissions

Post by Gostev »

Also permission to update VM Notes attribute is needed (all backup modes), if you are using functionality to set backup results in VM notes (it is disabled by default).
Arnold
Enthusiast
Posts: 35
Liked: never
Joined: May 14, 2010 9:33 am
Full Name: Arnold
Contact:

Re: vCenter Permissions

Post by Arnold »

Are there any additional permissions required when restoring a VM?

Or do we need to supply root credentials for each ESX server?

We have added our VC server in the Veeam console and the user specified under the service is also the same user that has admin access to VC. Should this be enough?
Arnold
Enthusiast
Posts: 35
Liked: never
Joined: May 14, 2010 9:33 am
Full Name: Arnold
Contact:

Re: vCenter Permissions

Post by Arnold »

Think I may have found my answer:

"Unfortunately the restore can only be done over network at this time, and you are right that restores are slower than backups because of this. The recommendation is to specify service console connection settings for the ESX host you are restoring to (to do this, right-click the ESX host in the Veeam Backup Servers tree)."

So if I do not add these credentials on the ESX servers, the restore will fail?
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Permissions

Post by Vitaliy S. »

Hello Arnold,

Thank you for re-using the old topic for your question. No, your restores won't fail if you do not provide service console connection credentials.

Please note that you don't have to provide root credentials to your ESX server while doing restores. In this case agentless restore mode will be used. But for a better restore speed, you should specify service console connection settings in the target ESX host's properties.

Thanks!
afokkema
Service Provider
Posts: 23
Liked: 3 times
Joined: Feb 13, 2009 2:00 pm
Full Name: Arne Fokkema
Location: Netherlands
Contact:

Re: vCenter Permissions

Post by afokkema »

What are the permissions required to backup using the Virtual Appliance mode? And is it possible to give the role only access to a couple of VM's in a Folder. So the backup user will only see these VM's instead of all the VM's on that cluster.
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Permissions

Post by Vitaliy S. »

Here is the set of permissions that should be defined for the role of the account used to connect to vCenter:

vStorage API - Virtual Appliance mode

Global:
Log Event

Datastore:
Low-level file operations

Virtual Machine - State:
Create Snapshot
Remove Snapshot

Virtual Machine – Configuration:
Disk Change tracking
Change resource
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow read-only disk access

And I believe you may play with the vCenter roles to define the access policy to your specific folder or VMs. Thanks!
skayser
Enthusiast
Posts: 27
Liked: never
Joined: Jul 13, 2010 8:28 am
Full Name: Sebastian Kayser

Re: vCenter Permissions

Post by skayser »

Thanks for sharing the set of permissions. Are they documented somewhere (apart from here :wink: )? Couldn't find them in the user guide. Further, A 'Test credentials/privileges' button in the SOAP credentials dialog would be very helpful to ensure correct privileges before actually trying to run backups.

Sebastian
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Permissions

Post by Vitaliy S. »

Sebastian,

Veeam Community forum is the best User Guide ever :) but that's a good idea to put this information to all the guide papers as well.

Thank you for your feedback!
tsands
Novice
Posts: 5
Liked: never
Joined: Feb 03, 2011 2:06 pm
Full Name: Tyson
Location: Florida, USA
Contact:

Re: vCenter Permissions

Post by tsands »

If I want to add a server to replicate to in VB&R, and the host is part of a vCenter - can I login directly to the ESX host? What permissions are necessary?
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Permissions

Post by Vitaliy S. »

Tyson, if you want to use Service Console on your target ESX host, then you should be using either root account or any sudoer to connect to ESX host directly.

If you're referring to vCenter Server permissions, unfortunately, I do not have this list, but adding a granular permission which allows registering VMs in Inventory to the list posted above should be sufficient.
derekross
Novice
Posts: 8
Liked: never
Joined: Jul 06, 2010 1:07 pm
Contact:

Re: vCenter Permissions

Post by derekross »

Just added all of the above permissions (all 3 modes in 1 role) to a vcenter account located in a folder. The folder contains a cluster. When trying to do a test backup:

Validating task
Unable to process VM 'VMNAME' ('vm-9493'). Config file is not found.

VBR: 5.0.1.198
vSphere: ESXi 4.1.1

backups work fine using my 'admin' account, we are trying to move away from that.
Vitaliy S.
VP, Product Management
Posts: 27368
Liked: 2798 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Permissions

Post by Vitaliy S. »

Derek, please use this new list to configure your connection account: vCenter Server Granular Permissions (v5)
Post Reply

Who is online

Users browsing this forum: Bing [Bot], dwesterman, restore-helper and 95 guests