When installing Veeam Hyper-V MP, you should take into account following security considerations.
Ops Mgr Agent Operation
The Ops Mgr agent Action Account must be an Administrator on the Hyper-V host.
Veeam Virtualization Extensions Service
The account under which the Veeam Virtualization Extensions Service runs must be a member of the Veeam Virtualization Extensions Users local group and have Administrator rights on the server.
Connection to SCVMM (if present)
The account used to run discovery rules on System Center Virtual Machine Manager must have the following permissions to allow Ops Mgr agent on the SCVMM Server to discover and insert SCVMM-specific topology objects into Ops Mgr:
- The account must have at minimum Read-Only Administrator privileges to the VMM SDK.
- The account must be a Windows account.
- The account must be a member of the Virtual Machine Manager Servers group on the SCVMM server.
Configure the Run As profile in Ops Mgr to use such an account.
SCVMM is not a requirement for Veeam MP functionality. If discovered, VMM will be used as a container in Veeam MP Hyper-V Topology views; and certain additional properties will be collected (such as Cloud Name for each VM). However core monitoring and reporting functionality in Veeam MP does not require VMM.
Ops Mgr SDK Connection
To assign Veeam licenses to monitored Hyper-V hosts, it is required that there is SDK connection between the Veeam Virtualization Extensions Service and Ops Mgr. For this reason, VES must be installed on an Ops Mgr Management Server, and the VES service account must have the Operator or Author role assigned in Ops Mgr.
Veeam Task Manager for Hyper-V
Veeam Task Manager for Hyper-V is an on-demand dashboard which makes a direct connection to a Hyper-V cluster or host, independent of the Ops Mgr console.
To enable remote connections to Hyper-V hosts, as a minimum the account of the logged on console user must at minimum be added to the Performance Log Users group on all monitored Hyper-V hosts.