vCenter Server Granular Permissions (v9)

[tolgaunturk]

Hi All ,

I need to your helpness and your opinions. I want to give domain privilages to my veeam user without administrator privilages. At now veeam is a administartor account on my domain . But i want to restrict to veeam user because my company dont want to a administrator account.

Thanks

[DGrinev]

Hi Tolga,

Please, review this existing thread above, also check the document with detailed description of required permissions. Thanks!

[Moebius]

An Italian based company has a VMware 6.5 infrastructure with 6 hosts managed by a (vm) vCenter. Veeam has been backing up all the vms with admin permissions at the vCenter level.
Now this company has been acquired by a larger US company. The new management wants to import the VMware Datacenter into their US-located vCenter. The hardware will not be moved.

They are willing to give our Veeam account admin rights at the Datacenter level only, but (undestandably) not at their vCenter level.

Are full permissions at the Datacenter level enough to keep the current backup jobs working? From the docs it seems so, but the new mgmt is asking for a confirmation.

Also, will the MoRefIDs change moving the DC to a different vCenter, thus triggering full backups on all vms?

Thanks.

[Andreas Neufert]

Hi Emilia,

please find the needed permissions here: https://helpcenter.veeam.com/docs/backu ... ml?ver=100

When you add the ESXi hosts to another vcenter, the VMs will be treated by Veeam as new VMs. So you have to add them to the Jobs again and next run will be a new full backup.
Potentially clone all jobs and replace there the VMs. Then run new backups. Over time, you can just delete the old backups if the new Job has enough restore points.

[Moebius]

Hi Andreas,

I am aware of the linked page. However, it's not clear what "Global" level means.
If all operations (backup, restore, etc.) will be performed within the same virtual datacenter (with VMware meaning), will assigning Administrator role at the virtual datacenter level to the Veeam account work?

[Andreas Neufert]

Yes.

When you open the vCenter Permission Management you will find the needed rights that you can give a specific role/user. One of the categories is called "Global".
So you do not need an admin account. Just an account with the needed permissions listed in the documentation link above.

[Moebius]

Well, just to confirm I got this straight:
I understand that full Administrator rights are not needed, but let's keep it simple and let's assume we are granted a full Administrator role.
This role, however, will not be granted to root (=vCenter) level, but to a lower level: virtual DATACENTER level, where said virtual datacenter will contain all the inventory objects that are relevant to us.
Is this OK?

[Andreas Neufert]

Jup as long as we can get the needed permissions.

[Moebius]

A feedback note about this --- maybe useful for answering future doubts.

We were granted Administrator role not at root level but at Datacenter level of the VMware structure. The Datacenter contains the cluster with all the hosts, datastores, vms and networks of our pertinence.
Everything seems to work fine except for one thing: the permissions on tag categories can only be granted at root level. I could create and assing tags, but a tag must belong to a tag category. Since in our case no categories have been defined, I am unable to create tags.
Our backup jobs used to rely on tags to pick different vms for different jobs. I had to switch to folders instead.

[Vitaliy S.]

Lucio, I will pass this feedback to our TW team. Thanks!

[Vitaliy S.]

The document has been updated with the corresponding note about tag categories. Thanks again!