Veeam Home | Support | Downloads
Veeam Management Pack 8.0 for VMware User Guides

Veeam Management Pack Help Center  > Veeam MP for VMware Guides >  Installation Guide > Security Considerations > Accounts and Privileges

Accounts and Privileges

Previous page Next page Print this Topic

Table of contents

Ops Mgr Agent Operation

The Ops Mgr agent action account must be an Administrator of the server where the Veeam component (Veeam Collector, VE Service) is running.

Connection to VMware vCenter

The account used to connect to VMware systems must have at minimum Read-only privilege.

Gathering vSphere Datastore Data

To be able to run the Scan Datastore for Unknown Files task, you should assign the Browse datastore privilege to the account, and make sure that the Create and Update task permissions are enabled.

To assign the privilege to the user role, edit the following role settings:

1.Go to All Privileges > Datastore and enable Browse datastore.
2.Go to All Privileges > Tasks, and enable Create task and Update task.

Click the image to zoom in

To create the appropriate user role and assign specific permissions, use the vSphere Client, as described in VMware documentation.

Access should be provided to the complete vSphere hierarchy and not only to specific objects. Using No Access or otherwise restricted permissions to any part of the vCenter hierarchy to configure monitoring visibility is not supported. To define which vSphere clusters and hosts are monitored, use the Veeam UI and check/uncheck clusters and hosts as required.

noteNote

If MP Tasks in the context of virtual machine are required, the VMware connection account must be assigned the required elevated privileges to run the task (Power On/Off VM and so on).

Veeam Virtualization Extensions Service Account

The account under which the VE Service runs must be a member of the Veeam Virtualization Extensions Users local group and have Administrator rights.

Veeam VMware Collector Service Account

The Veeam VMware Collector service account must be:

An administrative account on the server where the Veeam VMware Collector service runs.
A member of the Veeam Virtualization Extensions Users local group on the server running VE Service.

Connection to Veeam UI

To access the Veeam UI (for addition/removal of vCenter connections, configuring Veeam Collector settings and so on), users must be included in the local group named Veeam Virtualization Extensions Users. This local group is created during VE Service installation.

Collector Auto-Deployment Run As Account

The account in the Veeam VMware Collector Auto-Deployment Run As Profile must be:

At minimum OpsManager Advanced Operator on Management Servers that will host Veeam Collectors.
Local Administrator on Management Server where the VE Service runs.

The account must also be a member of the Veeam Virtualization Extensions Users local group on the server where the VE Service runs.

Table of contents