Discussions specific to the VMware vSphere hypervisor
Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » Mar 20, 2015 11:48 am 6 people like this post

Hi all,

Please find the description of required granular permissions in this document > Veeam B&R v8 granular permissions for vSphere 5.5

If you face any issues with this list, please post these details for troubleshooting:

1. Job type
2. Transport mode
3. Root object type you've applied these permissions to

Thanks!

brupnick
Expert
Posts: 196
Liked: 13 times
Joined: Feb 05, 2011 5:09 pm
Full Name: Brian Rupnick
Location: New York, USA
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by brupnick » Mar 23, 2015 2:26 pm 2 people like this post

Thanks for the updated document!

The only thing I noticed is that if you want to restore a template, I believe you need the following:

Code: Select all

Virtual Machine --> Provisioning --> Mark as template
Virtual Machine --> Provisioning --> Mark as virtual machine

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Mar 23, 2015 2:31 pm

Thanks for the heads up, I will ask our technical writers team to update this document.

vladimir.klyavin
Veeam Software
Posts: 117
Liked: 13 times
Joined: Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by vladimir.klyavin » Apr 01, 2015 8:20 pm

When creating a Virtual Lab, VBR fails at "Copying proxy appliance files"

Adding Datastore.Configuration permissions solves the problem. If I was a customer, I would ask, what are we configuring there?

alanbolte
Expert
Posts: 635
Liked: 172 times
Joined: Jun 18, 2012 8:58 pm
Full Name: Alan Bolte
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by alanbolte » Apr 02, 2015 12:29 am 1 person likes this post

I believe I can answer why the permission is required with this page in the vSphere API reference:
DatastoreNamespaceManager
CreateDirectory

Required Privileges
Datastore.Config

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Apr 02, 2015 9:39 am

Vladimir, did you do this using vSphere 5.5?

vladimir.klyavin
Veeam Software
Posts: 117
Liked: 13 times
Joined: Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by vladimir.klyavin » Apr 02, 2015 11:45 am

Yes, this is vSphere 5.5.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Apr 02, 2015 1:00 pm

We don't need this permissions, as it works in our labs even without it. Please use internal email to send me the details of what you did.

Ejdesgaard
Influencer
Posts: 20
Liked: 5 times
Joined: Aug 24, 2012 11:59 am
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Ejdesgaard » Dec 09, 2015 1:28 am

Can we get an updated list for v8 + vcsa6 ?

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Dec 09, 2015 10:10 am

I will be updating this list for Veeam B&R v9 and vSphere 6 after v9 goes out. Do you see any issues/errors with the current list of granular permissions?

dsellens
Novice
Posts: 4
Liked: never
Joined: May 09, 2014 6:09 pm
Full Name: Mordock
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by dsellens » Feb 09, 2016 11:05 pm

I found this document to be totally inadequate. While it listed the privileges that are needed, it did not list the permissions and roles that are required.

For instance:
The various Virtual Machines privileges would be in a role that is applied to the folder(s) in VMs and Templates on the replication destination where the Virtual machines are to be placed.

I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

Similarly, the datastore privileges would only be applied to the datastore(s) where the replicated VMs reside and again absolutely not to any other datastores. To do otherwise would be a catastrophic security breach.

Those are only the obvious problems and solutions. I really don't know what needs to be applied to the cluster and hosts in order to see the datastores properly in the replication wizard. We tried a number of options and was unable to get the datastores to show up until we gave up, hit it with a hammer, and granted far too many privileges to the user at too high a level. We are still trying to figure out how to narrow it back down.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Feb 10, 2016 11:10 am

dsellens wrote:I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.
I completely agree with your point, but VMware does not allow performing some actions if privileges are not assigned to either the entire Datacenter or on vCenter Server level.

dsellens
Novice
Posts: 4
Liked: never
Joined: May 09, 2014 6:09 pm
Full Name: Mordock
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by dsellens » Feb 10, 2016 8:13 pm

If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level. As it is absolutely unacceptable to set all of the provided privileges for particularly DataStores, VMs, and Networks at that level.

tsightler
VP, Product Management
Posts: 5355
Liked: 2191 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by tsightler » Feb 10, 2016 8:36 pm

dsellens wrote:Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.
I apologize if I misunderstood your request but, based on this statement, it sounds like you are referring to a multi-tenant scenario where you want to assign permissions granular enough to allow a user to run their own Veeam B&R server against only a subset of VMs within a shared infrastructure. That's not the purpose of this document. This document defines the granular permissions needed by the Veeam server to perform backup and replication operations within the entire vSphere infrastucture for those organizations that don't want to (or can't due to policy) provide a vSphere administrative level account for the B&R server. It assumes that this B&R server would be able to backup/restore any VM in the environment so that's why all permissions are at the top level.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » Feb 10, 2016 9:01 pm

dsellens wrote:If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level.
Yes, Tom is correct, 90% of the privileges from that doc have to be on the Datacenter/vCenter Server level. In this case administrative access to the vCenter Server is not required, but limiting "visibility" of the objects cannot be achieved via this document. Sounds like vCloud Director would be the best fit here.

davegold
Enthusiast
Posts: 64
Liked: 2 times
Joined: Dec 02, 2010 4:58 pm
Full Name: Dave Gold
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by davegold » Apr 06, 2016 3:20 pm

Is there a guide for v9 yet?

Also, the v8 guide appears to be for vcenter 5.1 or newer. Is there a guide that is relevant for vcenter 5.0?

--Dave

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by foggy » May 12, 2016 3:56 pm

There should not be any changes in v9 comparing to v8. The guide should be relevant for earlier vSphere versions up to some permission replacements.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » May 14, 2016 5:55 pm

Foggy is correct, however we will run a quick test using v9 some time later and will update the doc with new permissions (if required).

albertwt
Expert
Posts: 640
Liked: 20 times
Joined: Nov 05, 2009 12:24 pm
Location: Sydney, NSW
Contact:

[MERGED] What's the least amount of privileges needed for ba

Post by albertwt » May 19, 2016 7:27 am

Hi All,

I'm using Veeam Backup 9.0 Update 1 and VCenter 5.5 Update 3d.

So I wonder what is the minimum amount of service account privillege that I require to allow the VM backup ?

Reading this page: https://helpcenter.veeam.com/backup/vsp ... sions.html it is too generic and having a domain administrator and isabling UAC is against PCI compliance in my company.
Also making the service account as member of local admin in all VMs is also not really convenient.

Does this http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf document is still applicable or is there any updated version ?

Case # 01799483
--
/* Veeam software enthusiast user & supporter ! */

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by foggy » May 19, 2016 9:28 am

Speaking about vCenter Server permissions, the documents is still applicable to your environment, please see above.

As for the service account, any account that belongs to local Administrators group can be used if you're using application-aware image processing and/or guest file system indexing. The requirement for built-in administrator account and disabled UAC relates to application-aware backup in networkless mode (over VIX) only.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v8)

Post by Vitaliy S. » May 24, 2016 5:10 pm 2 people like this post

Quick note for everyone > our QC has verified that existing permissions work fine for vSphere 6.0 and Veeam B&R v9, no changes are required.

patrickds
Enthusiast
Posts: 26
Liked: 5 times
Joined: Feb 24, 2010 11:58 am
Full Name: Patrick De Smedt
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by patrickds » Sep 01, 2016 8:22 am 1 person likes this post

Why does the document only mention granular permissions for Vcenter, and say you require root access for an esxi host?
The same permissions can be given to a role on a standalone host.

We have just done this with a provider of some software we use, and which they deliver as an appliance on an Esxi6 host.
They are reluctant to give us full root access, but since we insisted on having backups, they agreed on setting the granular permissions required for backup/restore.

Everything works as expected, without a Vcenter.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » Sep 08, 2016 3:07 pm

Thanks, Patrick! vCenter Server is the only option in the document, as this was the top selection of our customers, however the same list should also work for ESXi (as you've verified).

dmarcocci
Novice
Posts: 3
Liked: never
Joined: Dec 16, 2015 4:55 pm
Full Name: Daniele Marcocci
Location: Italy, Rome
Contact:

[MERGED] [Replicaiton] - permission lack

Post by dmarcocci » Oct 03, 2016 1:01 pm

Hello,
this post is to inform staff about an issue i've found in VBS + vmware environment.

today i've found an issue in a replica context.
the customer has extended disk on a machine that reside in his datacenter, and the replication job fail with a lack of permission because the relevat permission is missing in our vmware farm.
i've identified the missing permission: Extend Virtual disk.


regards

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by foggy » Oct 03, 2016 1:52 pm

Hi Daniele, thanks for the reporting. We will check that and update the reference.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » Oct 04, 2016 1:05 pm 1 person likes this post

vCenter Server Granular Permissions document has been updated. Thanks!

darkec
Lurker
Posts: 2
Liked: never
Joined: Oct 13, 2016 8:59 am
Contact:

[MERGED] Replication job - permission problem

Post by darkec » Oct 13, 2016 9:30 am

Hello everyone.

I have a problem with Veeam replication jobs. Currently using v9.0.0.1715

I've made a role in vCenter for Veeam replication user specified in VeeamB&R v9 Required Permissions.
For example, when I try to do network remapping I get an error :"The given key was not present in the dictionary". The same error in appears in logs when replication job fails.
After I set user permissions to propagate, job completes normally and I can do network remapping, but then the replication user sees everything in vCenter and not just resoursces that were specified for him.
Since this is one of our customers Veeam server, I cannot leave this configuration for him to see everyone elses VMs, pools, etc.

Case number - 01924780

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » Oct 13, 2016 1:57 pm

Hello darkec,

Yes, that's expected behavior and, unfortunately, has nothing to do with Veeam required permissions. The document that you've used, refers to global granular permissions, these permissions should be assigned to a Datacenter or a vCenter Server level. I have also tried to assign it to particular objects (as you did), and it didn't work, as vSphere API requires access to the entire infrastructure tree (based on the feedback from VMware team).

In order to solve your case, I believe vCloud Director should be used, as it has multi-tenant feature built-in. Other than that, I cannot find any other feasible solution right now.

Hope it helps!

darkec
Lurker
Posts: 2
Liked: never
Joined: Oct 13, 2016 8:59 am
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by darkec » Oct 20, 2016 12:08 pm

Hello Vitaliy.

I've found the resolution to my problem. I needed to tweak permission in vsphere networking and propagate permissions. After making those changes, replication jobs start and customer can't see other customers VMs.

Vitaliy S.
Product Manager
Posts: 22697
Liked: 1498 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: vCenter Server Granular Permissions (v9)

Post by Vitaliy S. » Oct 20, 2016 12:24 pm

Perfect, do you mind sharing these tweaks for future readers of this topic? This will be highly appreciated.

Post Reply

Who is online

Users browsing this forum: JHarman and 36 guests