Host-based backup of VMware vSphere VMs.
Post Reply
merku
Enthusiast
Posts: 48
Liked: 12 times
Joined: Feb 08, 2020 3:17 pm
Full Name: Mercurio
Contact:

Granular Permissions for Replicating Selected VMs with Veeam

Post by merku »

Hello everyone,

We are planning to replicate 4 specific VMs from one remote vCenter to another using Veeam. However, our challenge lies in configuring permissions for the service account used by Veeam.

We would like this account to have visibility and access to only the 4 VMs we want to replicate, without exposing all other VMs in the remote vCenter. At the same time, we want to ensure that this restriction does not interfere with the replication functionality.

Does Veeam support such a granular configuration? If yes, could someone provide guidance on how to set the permissions both at the vCenter level and on the individual VMs to achieve this?

Any advice or documentation references would be greatly appreciated.

Thank you!
Mildur
Product Manager
Posts: 10637
Liked: 2866 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: Switzerland
Contact:

Re: Granular Permissions for Replicating Selected VMs with Veeam

Post by Mildur »

Hi Mercurio


Granular permissions required for Replication are documented in our help center.
I don't remember us testing a scenario where the service account only gets access to 4 specific VMs. I suggest to create a new role for the required VM permissions and then attach the Service Account with this role to these 4 VMs. Create roles with the other permissions and assign them on the correct level. For example, Datastore permissions can be assigned only on the source and target datastore. If the required permissions are assigned on the involved vSphere infrastructure objects, then I assume it will work (and supported). Worst case if it isn't working, you have to extend the permissions.

But I'm concerned about at least one of the required permissions. You need to give this service account write/read permission to the entire source and target datastore. Its not possible to set it on a folder level.
Which means, the account will have access to other VMs data files on this datastore. If your goal is to protect all other VMs from this service account, then you need to make sure that only these 4 VMs are stored on the source/target datastore.

Best,
Fabian
Product Management Analyst @ Veeam Software
Post Reply

Who is online

Users browsing this forum: Asahi and 13 guests