vCenter Server Granular Permissions (v9)

VMware specific discussions

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby davegold » Wed Apr 06, 2016 3:20 pm

Is there a guide for v9 yet?

Also, the v8 guide appears to be for vcenter 5.1 or newer. Is there a guide that is relevant for vcenter 5.0?

--Dave
davegold
Enthusiast
 
Posts: 64
Liked: 2 times
Joined: Thu Dec 02, 2010 4:58 pm
Full Name: Dave Gold

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby foggy » Thu May 12, 2016 3:56 pm

There should not be any changes in v9 comparing to v8. The guide should be relevant for earlier vSphere versions up to some permission replacements.
foggy
Veeam Software
 
Posts: 15081
Liked: 1110 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Sat May 14, 2016 5:55 pm

Foggy is correct, however we will run a quick test using v9 some time later and will update the doc with new permissions (if required).
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

[MERGED] What's the least amount of privileges needed for ba

Veeam Logoby albertwt » Thu May 19, 2016 7:27 am

Hi All,

I'm using Veeam Backup 9.0 Update 1 and VCenter 5.5 Update 3d.

So I wonder what is the minimum amount of service account privillege that I require to allow the VM backup ?

Reading this page: https://helpcenter.veeam.com/backup/vsp ... sions.html it is too generic and having a domain administrator and isabling UAC is against PCI compliance in my company.
Also making the service account as member of local admin in all VMs is also not really convenient.

Does this http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf document is still applicable or is there any updated version ?

Case # 01799483
--
/* Veeam software enthusiast user & supporter ! */
albertwt
Expert
 
Posts: 619
Liked: 20 times
Joined: Thu Nov 05, 2009 12:24 pm
Location: Sydney, NSW

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby foggy » Thu May 19, 2016 9:28 am

Speaking about vCenter Server permissions, the documents is still applicable to your environment, please see above.

As for the service account, any account that belongs to local Administrators group can be used if you're using application-aware image processing and/or guest file system indexing. The requirement for built-in administrator account and disabled UAC relates to application-aware backup in networkless mode (over VIX) only.
foggy
Veeam Software
 
Posts: 15081
Liked: 1110 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Tue May 24, 2016 5:10 pm 2 people like this post

Quick note for everyone > our QC has verified that existing permissions work fine for vSphere 6.0 and Veeam B&R v9, no changes are required.
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby patrickds » Thu Sep 01, 2016 8:22 am 1 person likes this post

Why does the document only mention granular permissions for Vcenter, and say you require root access for an esxi host?
The same permissions can be given to a role on a standalone host.

We have just done this with a provider of some software we use, and which they deliver as an appliance on an Esxi6 host.
They are reluctant to give us full root access, but since we insisted on having backups, they agreed on setting the granular permissions required for backup/restore.

Everything works as expected, without a Vcenter.
patrickds
Enthusiast
 
Posts: 25
Liked: 4 times
Joined: Wed Feb 24, 2010 11:58 am
Full Name: Patrick De Smedt

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby Vitaliy S. » Thu Sep 08, 2016 3:07 pm

Thanks, Patrick! vCenter Server is the only option in the document, as this was the top selection of our customers, however the same list should also work for ESXi (as you've verified).
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

[MERGED] [Replicaiton] - permission lack

Veeam Logoby dmarcocci » Mon Oct 03, 2016 1:01 pm

Hello,
this post is to inform staff about an issue i've found in VBS + vmware environment.

today i've found an issue in a replica context.
the customer has extended disk on a machine that reside in his datacenter, and the replication job fail with a lack of permission because the relevat permission is missing in our vmware farm.
i've identified the missing permission: Extend Virtual disk.


regards
dmarcocci
Novice
 
Posts: 3
Liked: never
Joined: Wed Dec 16, 2015 4:55 pm
Location: Italy, Rome
Full Name: Daniele Marcocci

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby foggy » Mon Oct 03, 2016 1:52 pm

Hi Daniele, thanks for the reporting. We will check that and update the reference.
foggy
Veeam Software
 
Posts: 15081
Liked: 1110 times
Joined: Mon Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby Vitaliy S. » Tue Oct 04, 2016 1:05 pm 1 person likes this post

vCenter Server Granular Permissions document has been updated. Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

[MERGED] Replication job - permission problem

Veeam Logoby darkec » Thu Oct 13, 2016 9:30 am

Hello everyone.

I have a problem with Veeam replication jobs. Currently using v9.0.0.1715

I've made a role in vCenter for Veeam replication user specified in VeeamB&R v9 Required Permissions.
For example, when I try to do network remapping I get an error :"The given key was not present in the dictionary". The same error in appears in logs when replication job fails.
After I set user permissions to propagate, job completes normally and I can do network remapping, but then the replication user sees everything in vCenter and not just resoursces that were specified for him.
Since this is one of our customers Veeam server, I cannot leave this configuration for him to see everyone elses VMs, pools, etc.

Case number - 01924780
darkec
Lurker
 
Posts: 2
Liked: never
Joined: Thu Oct 13, 2016 8:59 am

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby Vitaliy S. » Thu Oct 13, 2016 1:57 pm

Hello darkec,

Yes, that's expected behavior and, unfortunately, has nothing to do with Veeam required permissions. The document that you've used, refers to global granular permissions, these permissions should be assigned to a Datacenter or a vCenter Server level. I have also tried to assign it to particular objects (as you did), and it didn't work, as vSphere API requires access to the entire infrastructure tree (based on the feedback from VMware team).

In order to solve your case, I believe vCloud Director should be used, as it has multi-tenant feature built-in. Other than that, I cannot find any other feasible solution right now.

Hope it helps!
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby darkec » Thu Oct 20, 2016 12:08 pm

Hello Vitaliy.

I've found the resolution to my problem. I needed to tweak permission in vsphere networking and propagate permissions. After making those changes, replication jobs start and customer can't see other customers VMs.
darkec
Lurker
 
Posts: 2
Liked: never
Joined: Thu Oct 13, 2016 8:59 am

Re: vCenter Server Granular Permissions (v9)

Veeam Logoby Vitaliy S. » Thu Oct 20, 2016 12:24 pm

Perfect, do you mind sharing these tweaks for future readers of this topic? This will be highly appreciated.
Vitaliy S.
Veeam Software
 
Posts: 19770
Liked: 1120 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

PreviousNext

Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 84 guests