Feature Request: Reduce privileges required in VBR and vCenter

[JustinIzzard]

I would like to request that Veeam ONE supports a read-only level of permission in both VBR and vCenter. Our use case is that Veeam ONE is a dashboard, reporting, and alerting tool only. We do not intend on using it to run any remediation in either VBR or vCenter. Therefore the user Veeam ONE uses to connect to VBR and vCenter can follow the principle of least privilege and be granted only read-only access.

The two forum posts below are asking similar questions.

veeam-one-f28/read-only-service-account ... 65753.html
veeam-one-f28/security-q-connecting-vee ... 84573.html

[RomanK]

Hello Justin,

From this page for vSphere:

The account used to connect vCenter Server and ESXi hosts must have the Read Only role and the following additional privileges...

So read-only is enough. If you do not provide the additional privileges, you will not collect the information specified in each section.

From this page for VBR:

You must use the account with local Administrator permissions in the following cases:
If you plan to install Veeam ONE agent on Veeam Backup & Replication server.
If machines that run Veeam ONE server and Veeam Backup & Replication server belong to different domains or workgroups.

Veeam ONE agent is required for intelligent diagnostic features and remediate actions in the first case and no other way to collect the data in the second case.
The account must have WMI access to collect the data and there is no other requirement.

Could you please provide a bit more information about the permissions you do not want to grant?

Thanks

[JustinIzzard]

Thanks @RomanK. I think that addresses the question on the vSphere side of things.

The permission we do not want to grant is any permission that would allow Veeam ONE to modify or manage VBR. Like I mentioned, we want the tool to be a dashboard, monitoring, and alerting tool only. As such we do not want the account it uses to connect to VBR to have any privileges other than read-only. We are trying not to grant this permission from the page you linked for VBR:

The account used to connect Veeam Backup & Replication or Veeam Backup Enterprise Manager servers must:

Have the Veeam Backup Administrator role assigned.
This role must be assigned to the account on the machine that run Veeam Backup & Replication. If you connect Veeam Backup Enterprise Manager, the account must have this role assigned on all underlying Veeam Backup & Replication servers.

[RomanK]

Hello Justin,

Thanks for the clarification. I already asked our QA team to do some tests with fewer privileges to understand what is collected under the backup administrator.
Some data is already collected in the labs under the user with WMI access and without access to the VBR console. Will update this thread as soon as I get all results.

Thanks

[JustinIzzard]

Any news from the QA team regarding their testing with fewer privileges?

[RomanK]

Hello Justin,

The current state is still the same the user with WMI access and without access to the VBR console can collect the data. However, tests like that and changing the official documentation are planned closer to the GA release as they must cover new features and changes.
As I mentioned previously administrator permissions are required for features like VID and to run remediate actions. So the official documentation will not be changed in terms of the requirements. However, we will try to provide more details and maybe find additional considerations about feature losses. As for now, there is no such information, unfortunately.

Thanks

[JustinIzzard]

@RomanK, Our Veeam deployment is to the point where I have had a chance to start setting up Veeam ONE. I have created an unprivileged user account for WMI access following https://helpcenter.veeam.com/docs/one/d ... ml?ver=120. The only way I am able to execute WMI/WQL queries is if I grant this user Veeam Backup Administrator permissions in the VBR console. I have tested with the user having no access to the VBR console and granting Veeam Backup Viewer, neither of which worked.

Do you or the QA team have any details on additional steps to grant access to the root\VeeamBS WMI namespace to an unprivileged user account?

We're running VBR version 12.1.1.56 and Veeam ONE 12.1.0.3208.

[RomanK]

Hello Justin,

Finally, we've finished testing. Currently, two rules are applied:

• Local administrator group members on the VBR machine are always VBR administrators.
• If the user is not a machine administrator, we cannot use this account to add VBR because there is no WMI access.

So the current documentation is correct and we need "local user + WMI+ perf + event + VBR administrator" or local administrator member.

Running select is required to get instance data, but we cannot do that for the VBR Viewer.

Thanks

[JustinIzzard]

So the current documentation is correct and we need "local user + WMI+ perf + event + VBR administrator" or local administrator member.

Thank you for the follow up. Can you log this as a feature request to reduce the permissions required to be an unprivileged local user + VBR Backup Viewer?

[RomanK]

Hello Justin,

Of course, the feature request was logged in our system but no promises or ETA as usual.

Thanks