Veeam permissions on vSphere

[unsichtbarre]

We are having trouble with Veeam Permissions on vSphere. If I grant privilege/permission sufficient to actually run backup/replication - then the end user can see either the hosts or every other item in inventory.

I have used the guide: veeam_backup_7_0_permissions.pdf to create a vSphere role containing the "cumulative permissions" for all Veeam Functions

If I apply this User/Role to the Resource Pool - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

If I apply this User/Role to the vCenter/Data Center/Cluster without propagation and at the Resource Pool with propagation - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

If I apply this User/Role to the vCenter/Data Center/Cluster/host without propagation and at the Resource Pool with propagation - the user can resolve VMs in Veeam, but can also see every host!

If I apply this User/Role to the vCenter/Data Center/Cluster with propagation and at the Resource Pool with propagation - the user can resolve VMs in Veeam, but can also see every host, and all of the other VMs!

It is a basic premise of Cloud Computing and any "_aaS" resource that users not be granted visibility outside their own resources. This includes host status, resources and anything beyond the end users own resource pool! If I chose to, I should be able to host the Hatfields and McCoys on the same infrastructure without the other ever knowing.

Thanks appreciated

This is: Case #00748143

[Vitaliy S.]

If I apply this User/Role to the Resource Pool - the user can not resolve any VMs in Veeam (although the vSphere client works fine and resolves only that users VMs)

Permissions should be applied on the Datacenter or vCenter Server level, otherwise vStorage API for Data Protection will not function. Thanks!

[unsichtbarre]

Update for Veeam 8 - vSphere 6.0.0b (Veeam Support - Case # 00971924)

Permission as defined in: http://veeampdf.s3.amazonaws.com/guide/ ... ssions.pdf

have been applied at the vCenter, Datacenter, ESXi Host and Resource Pool level.

Replications work if the permission is allowed to propagate, but then a user can "see" other users VMs/Networks/Datastores when configuring a job.

Replications fail if the permission does not propagate at the vCenter, Datacenter and ESXi Host (even when the same permission is configured individually at each level). The big deal here is that we maintain separation between users/groups and user10 needs to be prevented from accidentally or deliberately replicating to a Datastore or Network assigned to user5.

[Vitaliy S.]

John, yes, that's correct - propagate rule is required to make it work. This is how vSphere permissions work.