vCenter Server Granular Permissions (v8)

[kacsp]

Hi,

Is there a pdf guide for vCenter Server Granular Permissions (v8) available?

Thanks

[Vitaliy S.]

Not yet, but we are planning to update existing guide soon.

[kacsp]

OK. Would you be able to state the minimum vCenter permission set needed by a Service Account, if vCenter were just to be used as a source (not a target)? Or, looked at another way, what vCenter permissions are needed by a Service Account when adding that vCenter into Veeam v8, if this vCenter is going to be used just as a source, and nothing else?

Thanks again

[Vitaliy S.]

It depends on what backup mode you're going to use etc. Please check this example of granular permissions for v7 > http://forums.veeam.com/post129060.html ... ar#p129060

[kacsp]

I'll take a look at your link. Are there significant differences in granular permissions between v7 & v8?

[veremin]

The document is in checking state, but I believe good portion of previously described permissions is still valid. Thanks.

[kacsp]

OK thanks for that...

[kacsp]

I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place? I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?

Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?

Thanks again

[Vitaliy S.]

I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place?

Yes, it would be enough. Check the operations you're going to do, for example, restore etc, and then create a user role in vCenter Server with a granular set of permissions and then add your AD account to this role.

I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?

Service account and account used to add vCenter Server/ESXi hosts are different things. Just want to make sure we are talking about the same accounts here. Full admin rights on the vCenter Server is not required.

Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?

Your account would need all these granular permissions, if you plan to backup/replicate/restore/run SureBackup jobs etc in this vCenter Server environment.

[kacsp]

So just to be clear, for my situation, if I wanted to add vCenter into Veeam using an AD account with restricted permissions in vCenter for only Backup & Replication operations, and which used this vCenter as the source, then I would create a user role in vCenter Server with a granular set of permissions for 'Backup, & 'Replication' operations and add my AD account to this role. I would then be able to add vCenter to Veeam using this AD account, and this account would also give me sufficient vCenter permissions to run Backup & Replications Jobs?

Thanks

[Vitaliy S.]

Yes, that's correct and I would highly recommend using cumulative permissions list for that, but keep in mind that it has not been adapted to v8 yet.

[kacsp]

Thanks Vitaliy, that's been most helpful...

[Ben Milligan]

In the case anyone Googles this and gets this thread down the road, here you go: http://www.veeam.com/veeam_backup_8_permissions_pg.pdf

[haslund]

Latest guide currently is: https://www.veeam.com/veeam_backup_9_0_ ... ons_pg.pdf

[aschalk]

What is meant by global? the Permissions on vCenter Level?
I am just curious because we just did a test with a user who's role on vCenter level is "No access".
I already checked this role and there are no rights set, so he is completly without rights on vCenter Level.
On Datacenter Level he has the Role "Read Only".
On ESXi Level he has the Role "Adminstrator".

Backup just went fine with this set of permissions.

[Vitaliy S.]

Global means a top level object, either vCenter Server/Datacenter/Cluster, so your configuration looks good.