vCenter Server Granular Permissions (v7)

[Vitaliy S.]

vStorage API - SAN mode (Backup)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking
Disk lease

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

vStorage API - Virtual Appliance mode (Backup)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking
Change resource
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

vStorage API - Network mode (Backup)

Global:
Log event
Disable Methods
Enable Methods
Licenses *

Datastore:
Low-level file operations

Virtual Machine - State:
Create snapshot
Remove snapshot

Virtual machine - Interaction:
Acquire guest control ticket

Virtual Machine – Configuration:
Disk change tracking

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

* - required for template backups

[Vitaliy S.]

vStorage API - SAN mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Disk lease
Advanced
Add new disk

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

vStorage API - Virtual Appliance mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Change resource
Advanced
Add new disk
Add existing disk
Remove disk

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

vStorage API - Network mode (Replication)

Global:
Log event
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection

Virtual Machine – Configuration:
Disk change tracking
Add new disk
Advanced

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download

Virtual Machine - Inventory:
Register
Remove

Resource:
Assign virtual machine to resource pool

[Vitaliy S.]

Instant VM Recovery

Global:
Log event

Host - Configuration:
Storage partition configuration

Virtual machine - Interaction:
Power On
Power Off

Virtual Machine - Inventory:
Register
Unregister

Resource:
Assign virtual machine to resource pool

vApp
Add virtual machine
Assign resource pool
Unregister

[Vitaliy S.]

SureBackup

Global:
Log event
Check Licenses

Datastore:
Low-level file operations
Remove file
Browse datastore

Host - Configuration:
Network configuration
Storage partition configuration

Network:
Assign network

Virtual machine - Interaction:
Power On
Power Off

Virtual Machine - Provisioning:
Check Allow disk access

Virtual machine - Configuration:
Add or remove device
Advanced

Virtual Machine - Inventory:
Remove
Register
Unregister

Resource:
Assign virtual machine to resource pool
Create resource pool
Remove resource pool

Folder:
Create folder
Delete folder

dvPort Group:
Create
Delete

[Vitaliy S.]

Full VM Restore

Global:
Log event

Datastore:
Browse datastore
Remove file
Allocate space
Low-level file operations

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload

Resource:
Assign virtual machine to resource pool

Virtual Machine – Configuration:
Advanced
Add new disk
Remove disk

Virtual Machine - Inventory:
Register

Folder:
Create folder

vApp
Add virtual machine
Assign resource pool
Unregister

dvPort Group:
Create
Delete

[Vitaliy S.]

Replica Failover

Global:
Log event

Datastore:
Low-level file operations
Browse datastore
Remove file

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine – Configuration:
Advanced
Rename

[Vitaliy S.]

Replica Failback

Global:
Log event

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Revert to snapshot
Remove snapshot

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine – Provisioning:
Allow read-only disk access
Allow virtual machine download

Virtual Machine – Configuration:
Advanced
Rename
Disk change tracking
Disk lease
Add new disk
Add existing disk
Remove disk

Virtual Machine - Inventory:
Register

Resource:
Assign virtual machine to resource pool

[Vitaliy S.]

File-Level Restore (Other Guest)

Global:
Log event

Datastore:
Low-level file operations
Browse datastore

Network:
Assign network
Configure

Virtual Machine - Configuration:
Modify device settings

Virtual Machine – Interaction:
Power On
Power Off

Virtual Machine - Inventory:
Register
Unregister

Resource:
Assign virtual machine to resource pool

Host - Configuration:
Storage partition configuration

[lorengordon]

Wow! This is awesome! I've also found that if a VM is in a vApp, a few additional permissions are necessary.

--vApp--

1. - Add virtual machine
   - Assign resource pool
   - Unregister

There may be others for features we haven't really used...our use case is mostly just backup and restore.

Thanks!
-Loren

[Vitaliy S.]

Hi Loren, thanks for heads up. I will update our permissions list.

[dlehrner]

And a combined set of permissions.

Global:
Log event
Licenses
Disable Methods
Enable Methods

Datastore:
Low-level file operations
Browse datastore
Remove file
Allocate space

Virtual Machine - State:
Create snapshot
Remove snapshot
Revert to snapshot

Virtual machine - Interaction:
Acquire guest control ticket
Device Connection
Power On
Power Off

Virtual Machine – Configuration:
Disk change tracking
Disk lease
Advanced
Change Resource
Add existing disk
Remove disk
Add new disk
Add or remove device
Rename
Modify device settings

Virtual Machine – Provisioning:
Allow disk access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload

Virtual Machine - Inventory:
Register
Unregister
Remove

Resource:
Assign virtual machine to resource pool
Create resource pool
Remove resource pool

Host - Configuration:
Storage partition configuration
Network configuration

dvPort Group:
Create
Delete

Network:
Assign network
Configure

Folder:
Create folder
Delete folder

vApp
Add virtual machine
Assign resource pool
Unregister

[brupnick]

Good morning-

Is there an updated list of permissions for VBR 6.5 and vSphere 5.1?

Thank you!

[Vitaliy S.]

Hi Brian,

As far as I know there are no additional requirements added for B&R v6.5 and vSphere 5.1 release. Do you have any issues with the list we have now?

Thanks!

[brupnick]

Hello Vitaliy-

Using dlehrner's combined set of permissions, I got as far as the third section (Virtual Machine - State) before noticing that this category does not seem to exist in 5.1. This made me wonder what, if anything, else might be different.

Thank you!
Brian

[Vitaliy S.]

Virtual Machine State is replaced by Virtual Machine Snapshot Management, just checked

[brupnick]

The other discrepancy I found is the post mentions Virtual machine - Interaction - Acquire guest control ticket, but in my vCenter permissions, I have Virtual machine - Interaction - Guest operating system management by VIX API selected. Is this just a new name for the same permission?

[Vitaliy S.]

Yes, it looks like they've just changed the name of this permission.

[dmitry86]

Hi, I have got the document from your support with the obsolete privilege names. Why not to change them in pdf doc as well? Thanks

[Vitaliy S.]

I will ask to update this doc. Thanks for the heads up!

[jcwuerfl]

Could someone please post the latest list of Permissions needed for vCenter for VMware 5.1 and Veeam 6.5 ?
Thanks!

[jcwuerfl]

Is there a pdf showing the latest vCenter permissions ? then? or could someone post them again? anyone? anyone?

[foggy]

James, the latest permissions list is available in this topic above and also in the PDF format through our technical support.

[jcwuerfl]

Including all the changed permissions in v5.1 ? like Virtual Machine - State -> Virtual Machine Snapshot Management ? I guess I'm not seeing that and want to make sure I have a complete list of everything so if that's available in the pdf document? I have to contact support for that? seems strange that isn't posted out on the backup support and product pages somewhere as how does someone ever get that for new customers?

[Vitaliy S.]

James, yes, I have supplied our support team with the latest document that includes latest name changes.

Anyway, I have just found a direct link to the pdf doc you're looking for:
http://www.veeam.com/granular_permissions_v6_5_ds.pdf

[brupnick]

This is a great document, but is there any way to have a section that lists all of the permissions necessary to perform any VBR task? For example, I use all of the features listed in this document, but if I go through each section, there can be significant overlap when it comes to required permissions. A section indicating something like:

Global

• Log event
  Disable Methods
  Enable Methods
  Check Licenses

Datastore

• Low-level file operations
  Browse datastore
  Remove file
  Allocate space

...

would be very helpful for someone like me.

[Vitaliy S.]

Hi Brian, I believe it should be easy to add, thanks for the feedback.

[brupnick]

One of my co-workers pointed out that the attribute that's supposed to hold the backup details hasn't been updating since December 2012 (shame on me for not noticing earlier). This is about the same time that we did our vSphere upgrade. As it turns out, there are two more permissions that your VBR account must have in vSphere in order for the "Set successful backup details to this VM attribute:" option to work: Global --> Manage custom attributes as well as Global --> Set custom attribute. The first lets VBR create the custom attribute, but it can't populate it without the second.

If you don't have either, you'll see this in the logs:

Code: Select all

[04.06.2013 19:32:47] <01> Error    AddAttribute failed, name 'Backup'   at Veeam.Backup.ViSoap.CSoapConnection.AddAttribute(String name)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do()
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.DoNoThrow(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[04.06.2013 19:32:47] <01> Error    Failed to execute SOAP command "CAddCustomFieldOperation". Details: "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="Folder">group-d1</object><privilegeId>Global.ManageCustomFields</privilegeId></NoPermissionFault>"   at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.ViSoap.CSoapConnection.AddAttribute(String name)
[04.06.2013 19:32:47] <01> Error    Permission to perform this operation was denied.   at Veeam.Backup.ViSoap.CServiceSession.Execute(CServiceConnState connState, IServiceOperation op)
[04.06.2013 19:32:47] <01> Error       at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)

If you have the Manage, but not the Set, you'll get this:

Code: Select all

[03.06.2013 19:12:53] <01> Error    UpdateAnnotation failed, vmRef 'vm-155'   at Veeam.Backup.ViSoap.CSoapConnection.UpdateAttribute(String vmRef, String annotation, Int32 fieldKey)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do()
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.Do(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.Core.CSourceVmNotesUpdater.DoNoThrow(CViVmTask task, CBackupTaskSession taskSess, String backupLocation)
[03.06.2013 19:12:53] <01> Error    Failed to execute SOAP command "CSetFieldOperation". Details: "<NoPermissionFault xmlns="urn:vim25" xsi:type="NoPermission" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><object type="VirtualMachine">vm-155</object><privilegeId>Global.SetCustomField</privilegeId></NoPermissionFault>"   at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.ViSoap.CSoapConnection.UpdateAttribute(String vmRef, String annotation, Int32 fieldKey)
[03.06.2013 19:12:53] <01> Error    Permission to perform this operation was denied.   at Veeam.Backup.ViSoap.CServiceSession.Execute(CServiceConnState connState, IServiceOperation op)
[03.06.2013 19:12:53] <01> Error       at Veeam.Backup.ViSoap.CSoapService.Execute(IServiceOperation op)

It's a very silly problem to have, but since I couldn't find these rights in the list of permissions, I thought I'd mention them here. Support ticket #00245101 also references this issue.

[foggy]

Brian, thanks for the heads up! Much appreciated. We'll look into this and update the permissions list appropriately.

[lorengordon]

I've found a few more permissions that are required if using the Quick Migration feature:

Datastore:
- Allocate Space

Resource:
- Relocate
- Migrate

Virtual Machine - Interaction:
- Suspend

[Vitaliy S.]

Loren, thanks for sharing your findings.