Hello everyone,
We are planning to replicate 4 specific VMs from one remote vCenter to another using Veeam. However, our challenge lies in configuring permissions for the service account used by Veeam.
We would like this account to have visibility and access to only the 4 VMs we want to replicate, without exposing all other VMs in the remote vCenter. At the same time, we want to ensure that this restriction does not interfere with the replication functionality.
Does Veeam support such a granular configuration? If yes, could someone provide guidance on how to set the permissions both at the vCenter level and on the individual VMs to achieve this?
Any advice or documentation references would be greatly appreciated.
Thank you!
-
- Enthusiast
- Posts: 48
- Liked: 12 times
- Joined: Feb 08, 2020 3:17 pm
- Full Name: Mercurio
- Contact:
-
- Product Manager
- Posts: 10637
- Liked: 2866 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Granular Permissions for Replicating Selected VMs with Veeam
Hi Mercurio
Granular permissions required for Replication are documented in our help center.
I don't remember us testing a scenario where the service account only gets access to 4 specific VMs. I suggest to create a new role for the required VM permissions and then attach the Service Account with this role to these 4 VMs. Create roles with the other permissions and assign them on the correct level. For example, Datastore permissions can be assigned only on the source and target datastore. If the required permissions are assigned on the involved vSphere infrastructure objects, then I assume it will work (and supported). Worst case if it isn't working, you have to extend the permissions.
But I'm concerned about at least one of the required permissions. You need to give this service account write/read permission to the entire source and target datastore. Its not possible to set it on a folder level.
Which means, the account will have access to other VMs data files on this datastore. If your goal is to protect all other VMs from this service account, then you need to make sure that only these 4 VMs are stored on the source/target datastore.
Best,
Fabian
Granular permissions required for Replication are documented in our help center.
I don't remember us testing a scenario where the service account only gets access to 4 specific VMs. I suggest to create a new role for the required VM permissions and then attach the Service Account with this role to these 4 VMs. Create roles with the other permissions and assign them on the correct level. For example, Datastore permissions can be assigned only on the source and target datastore. If the required permissions are assigned on the involved vSphere infrastructure objects, then I assume it will work (and supported). Worst case if it isn't working, you have to extend the permissions.
But I'm concerned about at least one of the required permissions. You need to give this service account write/read permission to the entire source and target datastore. Its not possible to set it on a folder level.
Which means, the account will have access to other VMs data files on this datastore. If your goal is to protect all other VMs from this service account, then you need to make sure that only these 4 VMs are stored on the source/target datastore.
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Asahi and 13 guests