Good day everyone !
In November 2020 I created a PowerCLI script which creates a vSphere role with cumulative permissions for Veeam Backup & Replication version 10.
In the meantime VBR v11 was released and I needed to update that script and wanted to create “new awareness” of it. The fact that I see A LOT of Administrator@vsphere.local users being used with adding the vCenter to Veeam makes me nervous, that’s why I wanted to fight against this with a simple script so no one needs to manually go through the privileges. Now there is no excuse to use highly privileged user accounts !
This PowerShell / PowerCLI script lets you create a new vCenter server role with all the cumulative privileges and permissions to use them with Veeam Backup & Replication V11.
The privileges used are based on the recommendations out of the Veeam Help Center which you can find here: Cumulative Permission for VMware vSphere – Veeam Help Center
Simply execute the script and follow the steps to fill in the relevant data like your vCenter server name, the username and your password. The script will then ask you to choose a name for your new role and automatically creates it.
The script was successfully tested against:
- VMware vCenter 6.5
- VMware vCenter 6.7
- VMware vCenter 7.0
In conjunction with
- Veeam Backup & Replication v10
- Veeam Backup & Replication v11
To create this script I went into vSphere and created a new role where I manually clicked all the permission to do this once. After that, you can simply query the privileges (ID’s) of the new role with:
Get-VIPrivilege -Role VeeamV11 | Select-Object IDWhat the script does then is having all the privilege ID’s in an array and create the desired role out of these given privilege ID’s.
$VeeamPrivileges = @(
'System.Anonymous',
'System.View',
'System.Read',
'Global.ManageCustomFields',
'Global.SetCustomField',
'Global.LogEvent',
'Global.Licenses',
'Global.Settings',
'Global.DisableMethods',
'Global.EnableMethods',
'Folder.Create',
'Folder.Delete',
'Datastore.Browse',
'Datastore.DeleteFile',
'Datastore.FileManagement',
'Datastore.AllocateSpace',
'Datastore.Config',
'Network.Config',
'Network.Assign',
. and
. so
. onUsing the “New-VIRole” command you can gather all those privileges out of the array and create the role with a simple script.
Due to the fact, that I often implement Veeam infrastructures at my customers I do not want to click the same roles together and that is why I created that script 
You can read about this on my blog:https://www.virtualhome.blog/2020/04/22/creating-a-vcenter-role-for-veeam-with-powercli/
The script is also online for free at Github: https://github.com/falkobanaszak/vCenter-role-for-Veeam
Furthermore I’d like to add 2 new “functions” to that script in the future, which are:
- Assign a user to the new role
- Add some sort of a function to check against an existing role, print the missing privileges and let the user decide to apply the missing privileges to the already existing role
So if anybody wants to participate feel free to fork that repository !
GitHub: https://github.com/falkobanaszak/vCenter-role-for-Veeam
Take care and everyone have a great week !
