vCenter Server Granular Permissions (v9)

VMware specific discussions

vCenter Server Granular Permissions (v9)

Veeam Logoby Vitaliy S. » Fri Mar 20, 2015 11:48 am 6 people like this post

Hi all,

Please find the description of required granular permissions in this document > Veeam B&R v8 granular permissions for vSphere 5.5

If you face any issues with this list, please post these details for troubleshooting:

1. Job type
2. Transport mode
3. Root object type you've applied these permissions to

Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby brupnick » Mon Mar 23, 2015 2:26 pm 2 people like this post

Thanks for the updated document!

The only thing I noticed is that if you want to restore a template, I believe you need the following:
Code: Select all
Virtual Machine --> Provisioning --> Mark as template
Virtual Machine --> Provisioning --> Mark as virtual machine
brupnick
Expert
 
Posts: 196
Liked: 13 times
Joined: Sat Feb 05, 2011 5:09 pm
Location: New York, USA
Full Name: Brian Rupnick

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Mon Mar 23, 2015 2:31 pm

Thanks for the heads up, I will ask our technical writers team to update this document.
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby vladimir.klyavin » Wed Apr 01, 2015 8:20 pm

When creating a Virtual Lab, VBR fails at "Copying proxy appliance files"

Adding Datastore.Configuration permissions solves the problem. If I was a customer, I would ask, what are we configuring there?
vladimir.klyavin
Veeam Software
 
Posts: 104
Liked: 13 times
Joined: Fri Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby alanbolte » Thu Apr 02, 2015 12:29 am 1 person likes this post

I believe I can answer why the permission is required with this page in the vSphere API reference:
DatastoreNamespaceManager
CreateDirectory

Required Privileges
Datastore.Config
alanbolte
Expert
 
Posts: 635
Liked: 170 times
Joined: Mon Jun 18, 2012 8:58 pm
Full Name: Alan Bolte

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Thu Apr 02, 2015 9:39 am

Vladimir, did you do this using vSphere 5.5?
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby vladimir.klyavin » Thu Apr 02, 2015 11:45 am

Yes, this is vSphere 5.5.
vladimir.klyavin
Veeam Software
 
Posts: 104
Liked: 13 times
Joined: Fri Sep 07, 2012 2:19 pm
Full Name: Vladimir Klyavin

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Thu Apr 02, 2015 1:00 pm

We don't need this permissions, as it works in our labs even without it. Please use internal email to send me the details of what you did.
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Ejdesgaard » Wed Dec 09, 2015 1:28 am

Can we get an updated list for v8 + vcsa6 ?
Ejdesgaard
Influencer
 
Posts: 17
Liked: 5 times
Joined: Fri Aug 24, 2012 11:59 am

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Wed Dec 09, 2015 10:10 am

I will be updating this list for Veeam B&R v9 and vSphere 6 after v9 goes out. Do you see any issues/errors with the current list of granular permissions?
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby dsellens » Tue Feb 09, 2016 11:05 pm

I found this document to be totally inadequate. While it listed the privileges that are needed, it did not list the permissions and roles that are required.

For instance:
The various Virtual Machines privileges would be in a role that is applied to the folder(s) in VMs and Templates on the replication destination where the Virtual machines are to be placed.

I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

Similarly, the datastore privileges would only be applied to the datastore(s) where the replicated VMs reside and again absolutely not to any other datastores. To do otherwise would be a catastrophic security breach.

Those are only the obvious problems and solutions. I really don't know what needs to be applied to the cluster and hosts in order to see the datastores properly in the replication wizard. We tried a number of options and was unable to get the datastores to show up until we gave up, hit it with a hammer, and granted far too many privileges to the user at too high a level. We are still trying to figure out how to narrow it back down.
dsellens
Novice
 
Posts: 3
Liked: never
Joined: Fri May 09, 2014 6:09 pm
Full Name: Mordock

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Wed Feb 10, 2016 11:10 am

dsellens wrote:I am not sure, but I would imagine that some of the Global privileges that are listed must be applied at the vCenter level at the top of the tree to function properly.

Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.

I completely agree with your point, but VMware does not allow performing some actions if privileges are not assigned to either the entire Datacenter or on vCenter Server level.
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby dsellens » Wed Feb 10, 2016 8:13 pm

If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level. As it is absolutely unacceptable to set all of the provided privileges for particularly DataStores, VMs, and Networks at that level.
dsellens
Novice
 
Posts: 3
Liked: never
Joined: Fri May 09, 2014 6:09 pm
Full Name: Mordock

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby tsightler » Wed Feb 10, 2016 8:36 pm

dsellens wrote:Under no circumstances should the VM privileges be applied to the vCenter as it would give the user access to the entire vCenter inventory of VMs for multiple customers.


I apologize if I misunderstood your request but, based on this statement, it sounds like you are referring to a multi-tenant scenario where you want to assign permissions granular enough to allow a user to run their own Veeam B&R server against only a subset of VMs within a shared infrastructure. That's not the purpose of this document. This document defines the granular permissions needed by the Veeam server to perform backup and replication operations within the entire vSphere infrastucture for those organizations that don't want to (or can't due to policy) provide a vSphere administrative level account for the B&R server. It assumes that this B&R server would be able to backup/restore any VM in the environment so that's why all permissions are at the top level.
tsightler
Veeam Software
 
Posts: 4768
Liked: 1737 times
Joined: Fri Jun 05, 2009 12:57 pm
Full Name: Tom Sightler

Re: vCenter Server Granular Permissions (v8)

Veeam Logoby Vitaliy S. » Wed Feb 10, 2016 9:01 pm

dsellens wrote:If you agree, then you need to provide guidance as to WHICH of the privileges need to be assigned on the entire DataCenter or vCenter level.

Yes, Tom is correct, 90% of the privileges from that doc have to be on the Datacenter/vCenter Server level. In this case administrative access to the vCenter Server is not required, but limiting "visibility" of the objects cannot be achieved via this document. Sounds like vCloud Director would be the best fit here.
Vitaliy S.
Veeam Software
 
Posts: 19558
Liked: 1102 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Next

Return to VMware vSphere



Who is online

Users browsing this forum: No registered users and 30 guests