Page 1 of 1

Granular Permissions for Replication

Posted: Dec 13, 2017 9:01 pm
by wheelz
I went through a backup security hardening to make it harder for ransomware to spread from our domain into our backups as well. I setup a whole separate domain for Veeam, and then followed the following document to set least permissive, granular permissions on the vCenter account that we use for backup, restores, and replication. ... ons_pg.pdf.

This all works great except for replication. I am no longer using a vCenter administrator account in Veeam to connect to vCenter. I created a new account and set permissions based on that document. I continue to get access denied errors though on the replication jobs from one datacenter to another. I had a case open (02382789) but was told to use an administrator account. I said that defeats the whole purpose, and why have this document released if it's not possible. Here is the error in the log:

[17.11.2017 17:02:43] <01> Error Failed UpdateNetworkAdapter2Vm. VmRef: [vm-285935], Nic: [4000], PortGroup: [Backup-VM Local], ConnectAtPowerOn: [True]. (System.Exception)
[17.11.2017 17:02:43] <01> Error Fault "NoPermissionFault", detail "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi=""><object type="VirtualMachine">vm-285935</object><privilegeId>VirtualMachine.Config.EditDevice</privilegeId></NoPermissionFault>" (Veeam.Backup.ViSoap.ViServiceFaultException)
[17.11.2017 17:02:43] <01> Error VimApi.NoPermission

I then tried to remove the options of re-ip and separate virtual networks, but still continue to get the error. Any idea what I need to do? Thanks.

Re: Granular Permissions for Replication

Posted: Dec 14, 2017 8:29 am
by Mike Resseler
Hi Eric,

First: Welcome to the forums!

Second: I don't have a vCenter at hand for the moment, but from the looks of this, I think you are missing some permissions on the configuration of the VM. Could you check if there are configuration permissions for the networkadapter that are not checked?

It might be that the document has a missing item (or two :-)). Also, it is written for version 9 (are you running 9 or 9.5?) and I can't see which vCenter (different vCenters might have different rights also).

Let us know

Re: Granular Permissions for Replication

Posted: Dec 14, 2017 4:28 pm
by wheelz
Thanks for the reply. I'm using Veeam 9.5 and vCenter 6.5. When you mentioned about permissions on the network adapter, I started to look into that. I didn't see anything under Network settings, but I gave the vCenter account that I'm using for Veeam the Edit Settings permission on the VM and then it worked. I'm not totally comfortable with that because then if that account gets compromised, then that account can edit any/all VMs. The way it was setup, all that account could really do is backup and restore VMs. If this is what is required, we'll have to make a decision on security vs. functionality. I guess I'm looking for some type of definitive answer as to what permission I'm missing. Do you think this is it? Thanks.

Re: Granular Permissions for Replication

Posted: Dec 14, 2017 4:36 pm
by Mike Resseler
As you saw in the guide, there are some edit settings on the VM level necessary. Again, I cannot check but when you go to the VM settings, can you see the network adapter under that and the possibility to give those rights?

Re: Granular Permissions for Replication

Posted: Dec 14, 2017 5:16 pm
by wheelz
No, I'm not seeing anything related to just the network adapter. I may have to just leave Edit Settings. Thanks for the help.