Veeam permissions on vSphere

VMware specific discussions

Veeam permissions on vSphere

Veeam Logoby unsichtbarre » Tue Feb 10, 2015 3:52 pm

We are having trouble with Veeam Permissions on vSphere. If I grant privilege/permission sufficient to actually run backup/replication - then the end user can see either the hosts or every other item in inventory.

I have used the guide: veeam_backup_7_0_permissions.pdf to create a vSphere role containing the "cumulative permissions" for all Veeam Functions

If I apply this User/Role to the Resource Pool - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

If I apply this User/Role to the vCenter/Data Center/Cluster without propagation and at the Resource Pool with propagation - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

If I apply this User/Role to the vCenter/Data Center/Cluster/host without propagation and at the Resource Pool with propagation - the user can resolve VMs in Veeam, but can also see every host!

If I apply this User/Role to the vCenter/Data Center/Cluster with propagation and at the Resource Pool with propagation - the user can resolve VMs in Veeam, but can also see every host, and all of the other VMs!

It is a basic premise of Cloud Computing and any "_aaS" resource that users not be granted visibility outside their own resources. This includes host status, resources and anything beyond the end users own resource pool! If I chose to, I should be able to host the Hatfields and McCoys on the same infrastructure without the other ever knowing.

Thanks appreciated

This is: Case #00748143
unsichtbarre
Enthusiast
 
Posts: 61
Liked: 14 times
Joined: Mon Mar 08, 2010 4:05 pm
Full Name: John Borhek

Re: Veeam permissions on vSphere

Veeam Logoby Vitaliy S. » Fri Feb 20, 2015 10:38 am

unsichtbarre wrote:If I apply this User/Role to the Resource Pool - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

Permissions should be applied on the Datacenter or vCenter Server level, otherwise vStorage API for Data Protection will not function. Thanks!
Vitaliy S.
Veeam Software
 
Posts: 19545
Liked: 1099 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov

Re: Veeam permissions on vSphere

Veeam Logoby unsichtbarre » Thu Jul 30, 2015 8:56 pm

Update for Veeam 8 - vSphere 6.0.0b (Veeam Support - Case # 00971924)

Permission as defined in: http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf

have been applied at the vCenter, Datacenter, ESXi Host and Resource Pool level.

Replications work if the permission is allowed to propagate, but then a user can "see" other users VMs/Networks/Datastores when configuring a job.

Replications fail if the permission does not propagate at the vCenter, Datacenter and ESXi Host (even when the same permission is configured individually at each level). The big deal here is that we maintain separation between users/groups and user10 needs to be prevented from accidentally or deliberately replicating to a Datastore or Network assigned to user5.
unsichtbarre
Enthusiast
 
Posts: 61
Liked: 14 times
Joined: Mon Mar 08, 2010 4:05 pm
Full Name: John Borhek

Re: Veeam permissions on vSphere

Veeam Logoby Vitaliy S. » Sun Aug 02, 2015 8:47 pm

John, yes, that's correct - propagate rule is required to make it work. This is how vSphere permissions work.
Vitaliy S.
Veeam Software
 
Posts: 19545
Liked: 1099 times
Joined: Mon Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov


Return to VMware vSphere



Who is online

Users browsing this forum: Google [Bot] and 14 guests