Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V
Post Reply
segfault
Enthusiast
Posts: 35
Liked: 14 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Read-Only Service Account Logins

Post by segfault » 1 person likes this post

I'm looking into implement Veeam One as a monitoring system for our vCenter and Veeam B&R instances, and I'm wondering how to do so in the most secure manner possible. After reading over the 'Permissions' section, I had a bunch of questions as to why Veeam ONE needs admin level access to monitor the target system.

Our B&R instances are off domain and we tightly control access to them. However, the Veeam One deployment guide indicates that the account used to monitor the system must have the Veeam Backup Administrator role assigned. This puts us in a bind as we view Admin level creds into the Veeam B&R instance to be some of the most important around, and now a system designed to just watch the system requires full admin access to perform what on the surface is a read-only task.

I'm spotting similar issues with vCenter integration. The admin guide is a bit more granular in listing each of the required permissions and noting what each is required for. Is it possible to pare them back if we do not care about the functionality indicated? For instance, global tagging influences what policies Veeam B&R uses, so I'd rather not hand that out to a monitoring system. I don't need Veeam ONE to add or remove tags, to remove snapshots, or access the console of VM's. I just want it to watch things and tell me when a datastore is projected to run out of space or what the cost of a VM is.

I know that I can give users Read-Only access to Veeam ONE, but having Veeam ONE be granted full admin on systems where it conceptual only needs read access to set off a bunch of red flags with our security team.

Is there a a document available that lists the absolute minimum level of permissions required, even if some functionality will be lost? The way the deployment guide reads, I won't be able to use Veeam ONE to monitor B&R in our environment, individual servers are also out (the agent requires local admin), I may run into issues with vCenter too if I provide it with a subset of the "required" permissions.

Thanks,

--john

HannesK
Veeam Software
Posts: 5866
Liked: 805 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Read-Only Service Account Logins

Post by HannesK »

Hello,
I assume you are referring to this document. So yes, you can reduce permissions for functionality that you do not need in vSphere.
must have the Veeam Backup Administrator role assigned.
agree, improvements on reducing required permissions from our side is a valid feature request. The "write" or "change" access should only be required for remediation actions.
individual servers are also out (the agent requires local admin)
uhm, what do you mean here? We don't monitor servers.

Best regards,
Hannes

wishr
Veeam Software
Posts: 1741
Liked: 195 times
Joined: Aug 07, 2018 3:11 pm
Full Name: Fedor Maslov
Contact:

Re: Read-Only Service Account Logins

Post by wishr »

Hi guys,

Let me clarify, Veeam ONE, as well as Veeam MP, pulls most of the backup monitoring data from Windows Management Instrumentation (WMI). In one of the past Veeam B&R updates, as a part of security hardening, we implemented a few changes and starting from that point only Veeam Backup Administrators are allowed to pull the data from WMI.

I agree that some improvements (in terms of better segregation of duties for roles and accounts) could be done here so we'll re-evaluate this scenario in the future versions but since it's a cross-product change, it might take some time to get it implemented and fully validated by our QC teams.

Thanks

segfault
Enthusiast
Posts: 35
Liked: 14 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Re: Read-Only Service Account Logins

Post by segfault »

Thanks for the clarifications. It was unclear from reading the deployment guide if reducing the permissions simply reduced some of the functionality (which is acceptable for my use case) or if it became an unsupported configuration.

--john

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests