This section provides information on the account permissions required for the installation and use of Veeam MP for VMware.
OpsMgr Agent Account
The OpsMgr agent Action Account must have the Administrator permissions on the server where the Veeam MP for VMware component (Collector, VE Service) runs.
VMware vCenter Server Connection Account
The account used to connect to VMware systems must have, at minimum, the Read-only privilege.
Gathering vSphere Datastore Data
To be able to run the Scan Datastore for Unknown Files task, you must assign the Browse datastore privilege to the account, and make sure that the Create and Update task permissions are enabled.
To assign the privilege to the user role, edit the following role settings in the vSphere Client:
- In the Home section, navigate to Administration > Roles.
- Right-click the user role and select Edit Role.
- In the All Privileges list, expand the Datastore node and select the Browse datastore check box.
- Expand the Tasks node and select the Create task and Update task check boxes.
- Click OK.
You can create an appropriate user role and assign specific permissions to it in the vSphere Client as described in the VMware vSphere Security Guide, section Using Roles to Assign Privileges.
The account must be granted access to the complete vSphere hierarchy — not only to specific objects. You must not assign the No Access role or other restricted permissions to any part of the vCenter Server hierarchy. Such configuration of monitoring visibility is not supported. You can define which vSphere clusters and hosts to monitor using the Veeam UI. To learn how to disable and enable monitoring for specific vSphere objects in the Veeam UI, see Veeam UI Reference.
If you need to run tasks in the context of a virtual machine, you must assign the required privileges (Power On/Off VM and so on) to the VMware connection account.
Veeam Virtualization Extensions Service Account
The account under which the VE Service runs must be a member of the Veeam Virtualization Extensions Users local group and have Administrator permissions.
Veeam VMware Collector Service Account
The Veeam VMware Collector service account must be:
- An administrative account on the server where the Veeam VMware Collector service runs.
- A member of the Veeam Virtualization Extensions Users local group on the server where the VE Service runs.
Connection to Veeam UI
To access the Veeam UI, to add and remove vCenter Server connections, to configure Collector settings and so on, a user must be a member of the Veeam Virtualization Extensions Users local group. This local group is created during the VE Service installation.
Collector Auto-Deployment Run As Account
The account in the Veeam VMware Collector Auto-Deployment Run As Profile must be:
- At minimum, OpsMgr Advanced Operator on all Management Servers that will host Collectors.
- Local Administrator on the Management Server where the VE Service will run.
- A member of the Veeam Virtualization Extensions Users local group on the server where the VE Service will run.