Permission requirements for replication in Veeam 6.1

[joshua1909]

Hi all,

Firstly, sorry for the lengthy post.

I am currently in the process of configuring replication from a few of our branch sites to a single DR VMware environment. It is working well, except that I have had to configure the replication job at each branch site with full administrator privileges to the DR VMware vCenter environment.

Unfortunately due to our company policy, I cannot leave the Veeam console at a branch site with full administrator rights to the remote DR vCenter server. (The main issue being that if the network admin at the branch site connects to the local Veeam server, he can easily access the remote DR infrastructure and see all virtual machines and data for all other branches.)

In speaking to Veeam support, they sent through a document to assist me (granular_permissions_v6), but have since advised replication is no longer supported with anything other than full admin rights on the destination. I can't give full admin rights to the branches, and I simply can't setup an individual VMware environment for each branch to replicate to.

I have gone through the process of trying to restrict the permissions on the Veeam service account, but the replication is failing on:

Datastore 'datastore-414' was not found (System.Exception)

Although, I can browse the destination datastore through Veeam and create folders with no issue.

Below is an overview of permissions I have applied to the Veeam account at the replication site. If anyone has any ideas, they would be greatly appreciated.

Cheers,
Josh

vCenter Role and Permission Configuration

Three roles have been created with the following names:
• DR_MainRole
• DR _cluster
• DR _host

Permission level for DR_MainRole:

Datastore
• Allocate Space
• Browse Datastore
• Configure datastore
• Low level file operations
• Move datastore
• Remove datastore
• Remove File
• Rename datastore
• Update virtual machine files
Global
• Log Event
Network
• Assign network
• Configure
• Move network
• Remove
Resource
• Assign virtual machine to resource pool
Schedule task
• Create tasks
• Modify task
• Run task
Tasks
• Create task
• Update task
Virtual machine
• Configuration (all)
• Guest Operations (all)
• Interaction (all)
• Inventory (all)
• Provisioning (all)
• Replication (all)
• State (all)

Permission level for DR_cluster:
Resource
• Assign virtual machine to resource pool

Permission level for DR_host:
Resource
• Assign virtual machine to resource pool
 
vCenter Role Assignment

As these steps are completed to assign role based permissions on vCenter inventory, the Active Directory Security Group “DR_branchname_group” created in this document should be used as the object of these permissions.


Apply the AD security group to this role against vCenter inventory objects:

[Vitaliy S.]

but have since advised replication is no longer supported with anything other than full admin rights on the destination.

I haven't heard about this change. Could you please tell me your support ticket number, so I could verify it with your engineer?

As to the required permissions, please check out this topic for the most up-to-date information about the required permissions.

On top of that, could you please create the account with the permissions set from the forum post above, assign it on the vCenter Server level (propagate to all child objects) and then try to re-run the job, should work!

[joshua1909]

Hi Vitality S,

My ticket number was ID#5198710

The technician referenced page 57 of the User Guide, which I checked and indeed says:

Target/Source
Host Permissions
Root permissions on the source ESX/ESXi server.
Root (or equivalent) permissions on the target Linux host.
Write permission on the target folder and share.
If vCenter is used, administrator credentials are required.

I will test those inheritable permissions tomorrow. My only concern is that if I apply those permissions at a vCenter level, rather than at the corresponding resource, the service account will once again be able to access more than it should.
E.g. if I assign the datastore permissions at the vCenter level, the service account will be able to see all VMs in the datastore. However, if I apply datastore permissions only to the dedicated datastore the replication job will be replicating to, then it can only see the VMs it's replicating.

Cheers,
Josh

[Vitaliy S.]

My only concern is that if I apply those permissions at a vCenter level, rather than at the corresponding resource, the service account will once again be able to access more than it should.
E.g. if I assign the datastore permissions at the vCenter level, the service account will be able to see all VMs in the datastore. However, if I apply datastore permissions only to the dedicated datastore the replication job will be replicating to, then it can only see the VMs it's replicating.

Thanks, I've reviewed your case and our support engineer is correct with this statement -"...permissions should be added at the Datacenter level for the backup jobs to complete successfully". It is not something that we can control with the product, it is just how vStorage API works now (AFAIK).

[joshua1909]

Hi Vitaliy,

From your post, I noticed you stated:

"...permissions should be added at the Datacenter level for the backup jobs to complete successfully"

and did not say:

"administrator permissions should be added at the Datacenter level for the backup jobs to complete successfully"

I gather you either knew, or thought it would be possible to replicate without admin rights.

I've spent the day going through individual security settings in VMware, and can confirm it is possible to replicate without administrator privileges to vCenter in Veeam 6.1

I have locked down the branch credentials at my destination VMware environment, so each branch site can see only their inventory/datastores/networks/VMs.

Cheers for the assist,
Josh

[Vitaliy S.]

Yes, I knew that full administrator rights are not required, as it was me who wrote granular permissions list long ago

Good to know that you've managed to set everything properly. Thanks!

[joshua1909]

it was me who wrote granular permissions list long ago

haha, in that case thankyou!

Cheers,
Josh

[alan2012]

Hi joshua1909

I tried to copy your permissions in the above post with the three groups etc and have added an ad account to those groups and that has worled in that i can only see the one datastore, replication folder that i want them to see but i still cant replicate, is the above list you posted complete or is the an additional permission you found that you needed as i see you posted

"have spent the day going through individual security settings in VMware, and can confirm it is possible to replicate without administrator privileges to vCenter in Veeam 6.1"

[Vitaliy S.]

Hi Alan,

Did you have a chance to check my first post in this topic for additional granular permissions required? Also could you please clarify how exactly you have assigned your permissions? Did you do this on vCenter Server level or you were choosing individual objects?

Thanks!

[joshua1909]

Hi Alan,

There were a couple of additional things I had to do. Even when assigning the correct permissions to the destination port group/s, it has to be named the same as the source. Eg if your VM at the source network has a NIC a member of "VM Network" and "iSCSI Network", you must have the same port groups at the destination with permissions applied to both. I found this to be the case even if you are using the new function in Veeam to re-map the networks, they still must have the original port group names at the destination.


I also used the following permissions, with one new role applied to the datacenter:
DR_inventory: this role is assigned no permissions, it is just applied to the datacenter object to give your user account the ability to list inventory. It's interesting that applying an empty role gives you this permission.



If you have any specific questions, you can PM me.

Cheers,
Josh

[alan2012]

Hi Josh and Vitality,

First lets explain what i want to achieve

i have multiple customers that use veeam for backup and they want to replciate back to me for DR and failover, I have an ESX Cluster back at my end and a Virtual Centre Server. Each customer has a site to site connection with me and i can route to their networks so I have built each customer a VM to act as there own backup Proxy at my end and pushed from their veeam server a backup proxy client, I created each customer an unique AD account at my end and i have attached my Virtual Centre Server in their Veeam software, Infrastucutre tab vmware, vcenter servers with that AD account, With that now i can select my Cluster as a destination point for the replica job. now if i use your permissions Vitatlity in post http://forums.veeam.com/viewtopic.php?f ... 761#p45501 and assign the permission to which i beleive i have to at at the Virtual Centre level the customer can in there veeam browse down and see all my Vm's and datastores. Not what i want.

What i want to achieve is similar to what josh i think asked, to lock them down so i started to follow his layout create the roles in VIrtual Centre, Assign my AD accounts to those roles,

Now that worked great, when i was on there side i could see their one and only datastore, their one and only resource pool and one and only vm folder in veeam, but i could not replica as it produced an error, So i know i am missing a level of permission some where, i am hoping from following josh's instructions above that i can achieve this locked down state where a customer can see there own vm's and datastore when they browse down via the VC in there veeam software

[joshua1909]

Hi Alan,

The company I work for is an MSP, and to host customer DR replication was the primary reason I investigated this setup. I am doing exactly that.

The two main errors I received with permissions were to do with the datastore not being found, and to do with re-assigning a nic. Assigning the correct permissions to the correct objects as per my previous post, and ensuring the port group is name the same at both sites solved this.


What error are you receiving?


Cheers,
Josh

[alan2012]

Hi Josh,

At the moment the error is
Procesing Configuration Error: Permission to perfrom this operation was denied.
Error: Permission to perfrom this operation was denied.

When i am on the customer side i can when i create the replica job

Select my cluster in the job, select and see the only resource pool, select and see the one and only VM folder, Select and see the only datastore i want them to see.

When i run the job i get the above error.

I am in the process now of double checking all my Roles match your role permissions.

Will advise when i complete this.

Cheers

alan

[joshua1909]

No worries, if you gather the support logs for that particular job, you will see a more detailed breakdown on what it's failing on.

Cheers,
Josh

[joshua1909]

Just a quick update to say that these permissions still work on 6.5


Cheers,
Josh

[kpnz]

I work for a service provider and we've currently got three clusters in our ESXi environment- Management, Production and DR, all configured to replicate happily between themselves. This is managed by two VC's (prod and mgmt).

We've been asked to provide one of our customers a DR solution where can replicate their VM's from their ESXi environment across to our DR cluster.

Am I correct in thinking that provided the correct ports are opened, they should be able to do this in Veeam by specifying the explicit ESXi Hosts in the DR cluster? Keeping in mind that their ESXi environment shouldn't see ours and the only common infrastructure would be the ESXi hosts (it wouldn't matter if we see their VM's on our DR cluster from our side, I just don't want to have service accounts traversing the two organisations)

Thanks.

[Vmagic]

Hello,

Have a client that has requested to replicate a number of VMs to our vsphere environment.

The two environments do not have any affiliation besides a VPN-tunnel.
I have created a vm in our vpshere environment that they will use a a target Proxy which is joined to their domain.

I have created a vcenter role with these permissions:

vStorage API - Virtual Appliance mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Change resource
Advanced
Add new disk
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

That I found on this site: http://forums.veeam.com/viewtopic.php?f ... 761#p45501

I am however wondering on what level I need to apply the role with these permissions to make replication work. I also want that the client cant see more than necessary in our environment. Hosts, clusters, etc are ok, but not vms etc.

[Vitaliy S.]

Hello,

I am however wondering on what level I need to apply the role with these permissions to make replication work.

You need to apply these permissions on the Datacenter level.

I also want that the client cant see more than necessary in our environment. Hosts, clusters, etc are ok, but not vms etc.

How do you group your VMs? Are you using folders, resource pools? If you apply permissions on the Datacenter level, then all objects under this Datacenter will be visible to the account used to connect to vCenter Server. However, you can try to explicitly specify these permissions on every container, might work.

Thanks!

[Vmagic]

Hello Vitaly,

Yes, permissions are applied to the Datacenter level. I have also solved so only hosts and necessary VMs are being seen, so right now it is more about setting the correct permissions to make replication work.

Replication Job Log says the following:

Code: Select all

[10.07.2013 16:12:57] <01> Error    Failed UpdateNetworkAdapter2Vm. VmRef: [vm-7968], Nic: [4000], PortGroup: [VM Network], ConnectAtPowerOn: [False].   at Veeam.Backup.ViSoap.CSoapConnection.UpdateNetworkAdapter2Vm(String vmRef, Int32 nic, String portGroup, Boolean connectAtPowerOn)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CViNetMapper.ApplyVmNetworks(CVm vm, CSoapConnection connection, CViNicInfo[] nics)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CSnapReplicaVmTarget.SyncNetworks(CBackupObjectsCollection backupCollection)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CSnapReplicaVmTarget.ProcessConfiguration(CBackupObjectsCollection backupCollection)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CSnapReplicaVmTarget.Veeam.Backup.Core.IReceiver.ProcessObjects(IBackupObject[] backupObjects)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CViSource.Backup(IReceiver receiver)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.Core.CBackupJobPerformer.ExecuteBackupTask(IVmBackupTask task, ITarget target)
[10.07.2013 16:12:57] <01> Error    Failed to execute SOAP command "CReconfigVmOperation". Details: "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="Network">network-7969</object><privilegeId>System.Read</privilegeId></NoPermissionFault>"   at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.ViSoap.CSoapService.ExecuteAndWaitForCompletion(IServiceOperationAsync operation)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.ViSoap.CSoapConnection.UpdateNetworkAdapter2Vm(String vmRef, Int32 nic, String portGroup, Boolean connectAtPowerOn)
[10.07.2013 16:12:57] <01> Error    Permission to perform this operation was denied.   at Veeam.Backup.ViSoap.CServiceSession.Execute(CServiceConnState connState, IServiceOperation op)
[10.07.2013 16:12:57] <01> Error       at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[10.07.2013 16:12:57] <01> Info     Error: Permission to perform this operation was denied.\n

I am using folders at the moment to group VMs. The log above seems to suggest a network permission type of failure? but I cannot find no such options on the permissions site (viewtopic.php?f=24&t=10478&p=54761#p45501)

Any ideas?

[Vitaliy S.]

Have you applied all these permissions?? Try to specify them on the Datacenter and propagate this list to all child objects, without limiting the scope of VMs that can be seen.

[Vmagic]

Just wrote a long reply and pressed submit, and my browser asked me to log in(even though I already was), how annoying....

Anyway,

Yes, All the permission from the "Replication - Virtual Appliance Mode" section have been applied to my vCenter role.

I just did a quick test and I seem to have got it to work.
Basically what I did was create the network port group from the source enviroment in the target Environment as well, and of course connected my vcenter role to it permission wise.

Just one question. Does the port group need to exist in the target enviroment because of "consistency" reasons? or is it actually going to be used in some scenario? I am wondering because we are "swiching protocols" during replication, (iSCSI source ---> NFS target), and therefore it will use a vmkernel port in the target enviroment.

Thanks

[Vitaliy S.]

Well...I'm not quite sure I understand the question, but the port group should exist because you will need to power on your VMs in the DR situation.

[Vmagic]

Never mind the question, it was I that was confusing things =)

Anyway, thank you for the help. replication is working now.

[funraiser]

Hello All,

We want to offer a client the possibility to replicate it's infrastructure from their side to our side using Veeam B&Rv7. The client has a vCenter and we have a vCenter.

In our vCenter we've created a Resource Pool and a Datastore for this client and based on the http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf document, I've granted a user the needed "replication/replica failover/replica failback" privileges.
These privileges are granted only on the specific Resource Pool and Datastore, and thus the user has a "No Access" on all other objects (propagated from the vcenter top level).

Unfortunately, the document states on page 4 that, when using vCenter you need administrator credentials in order to attach a vCenter to the Veeam B&R.

I've tried to add this vCenter using that user in Veeam B&R. It's added successfully into Veeam B&R but Veeam is not showing the VM's inside the resource pool. I tried clicking refresh and rescan but this does not make a difference.

Any ideas if this is really possible or should we really require full administrator privileges for this customer?

Please let me know your thoughts,

Thanks,

[foggy]

Kristof, please review the thread above for similar discussions, should help.

[joshua1909]

These permissions still work in Veeam v7, follow the permission guide and also the diagrams in the first post.

See here for some tips:
http://forums.veeam.com/viewtopic.php?f ... 556#p59750

The biggest "gotcha" for me was the naming of port groups. They must exist with the same name on the source and destination hosts EVEN if you are using the function to select a different destination port group.

Cheers,
Josh