vCenter Server Granular Permissions (v8)

VMware specific discussions

vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Mon Jan 19, 2015 11:57 am

Hi,

Is there a pdf guide for vCenter Server Granular Permissions (v8) available?

Thanks
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Mon Jan 19, 2015 2:03 pm

Not yet, but we are planning to update existing guide soon.
Vitaliy S.
Veeam Software
 
Posts: 19974
Liked: 1145 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Mon Jan 19, 2015 2:52 pm

OK. Would you be able to state the minimum vCenter permission set needed by a Service Account, if vCenter were just to be used as a source (not a target)? Or, looked at another way, what vCenter permissions are needed by a Service Account when adding that vCenter into Veeam v8, if this vCenter is going to be used just as a source, and nothing else?

Thanks again
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Mon Jan 19, 2015 5:44 pm

It depends on what backup mode you're going to use etc. Please check this example of granular permissions for v7 > post129060.html?hilit=granular#p129060
Vitaliy S.
Veeam Software
 
Posts: 19974
Liked: 1145 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Tue Jan 20, 2015 8:58 am

I'll take a look at your link. Are there significant differences in granular permissions between v7 & v8?
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby v.Eremin » Tue Jan 20, 2015 9:12 am

The document is in checking state, but I believe good portion of previously described permissions is still valid. Thanks.
v.Eremin
Veeam Software
 
Posts: 13734
Liked: 1027 times
Joined: Fri Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Tue Jan 20, 2015 2:12 pm

OK thanks for that...
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Tue Jan 20, 2015 4:30 pm

I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place? I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?

Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?

Thanks again
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Tue Jan 20, 2015 8:26 pm

kacsp wrote:I'm slightly confused by the guidance given in the vCenter Granular Permissions pdf. If I want to restrict a Service Account down to just 'Backup' & 'Replication' operations on vCenter, will applying these section's (in the pdf) permissions in vCenter to an AD Service Account give me enough rights to add a vCenter Server into Veeam as a Source in the first place?

Yes, it would be enough. Check the operations you're going to do, for example, restore etc, and then create a user role in vCenter Server with a granular set of permissions and then add your AD account to this role.

kacsp wrote:I ask this because in the 'Installation & Operation' section, under 'Target/Source Host Configuration' it states that administrator credentials are required. Obviously not much point in configuring a Service Account for just 'Backup' & 'Replication' if it has to be a full administrator to add vCenter into Veeam in the first place. Or have I misunderstood things?

Service account and account used to add vCenter Server/ESXi hosts are different things. Just want to make sure we are talking about the same accounts here. Full admin rights on the vCenter Server is not required.

kacsp wrote:Also, is the 'Cumulative Permissions' section at the end of the document relevant to this situation? Would my Service Account need these permissions adding too, or does this refer to something else?

Your account would need all these granular permissions, if you plan to backup/replicate/restore/run SureBackup jobs etc in this vCenter Server environment.
Vitaliy S.
Veeam Software
 
Posts: 19974
Liked: 1145 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Wed Jan 21, 2015 9:52 am

So just to be clear, for my situation, if I wanted to add vCenter into Veeam using an AD account with restricted permissions in vCenter for only Backup & Replication operations, and which used this vCenter as the source, then I would create a user role in vCenter Server with a granular set of permissions for 'Backup, & 'Replication' operations and add my AD account to this role. I would then be able to add vCenter to Veeam using this AD account, and this account would also give me sufficient vCenter permissions to run Backup & Replications Jobs?

Thanks
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Wed Jan 21, 2015 10:06 am

Yes, that's correct and I would highly recommend using cumulative permissions list for that, but keep in mind that it has not been adapted to v8 yet.
Vitaliy S.
Veeam Software
 
Posts: 19974
Liked: 1145 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby kacsp » Wed Jan 21, 2015 10:39 am

Thanks Vitaliy, that's been most helpful...
kacsp
Enthusiast
 
Posts: 50
Liked: 8 times
Joined: Mon Jun 02, 2014 1:09 pm

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Ben Milligan » Fri Jul 10, 2015 5:40 pm 2 people like this post

In the case anyone Googles this and gets this thread down the road, here you go: http://www.veeam.com/veeam_backup_8_permissions_pg.pdf
Ben Milligan
Veeam Software
 
Posts: 173
Liked: 38 times
Joined: Sun Jan 01, 2006 1:01 am

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby haslund » Mon Sep 12, 2016 9:51 am 2 people like this post

Rasmus Haslund
Principal Technologist, Global Education Services @ Veeam Software
Veeam Certified Architect #1 | Veeam Certified Trainer #4 [v7,v8,v9] | Veeam Certified Trainer Mentor #1
Twitter: @haslund
Blog: www.perfectcloud.org
haslund
Veeam Software
 
Posts: 279
Liked: 54 times
Joined: Thu Feb 16, 2012 7:35 am
Location: Denmark
Full Name: Rasmus Haslund

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby aschalk » Thu Nov 24, 2016 11:20 am

What is meant by global? the Permissions on vCenter Level?
I am just curious because we just did a test with a user who's role on vCenter level is "No access".
I already checked this role and there are no rights set, so he is completly without rights on vCenter Level.
On Datacenter Level he has the Role "Read Only".
On ESXi Level he has the Role "Adminstrator".

Backup just went fine with this set of permissions.
aschalk
Influencer
 
Posts: 12
Liked: 1 time
Joined: Wed Sep 07, 2016 5:47 am

Next

Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 1 guest