Automatically create vSphere roles to use with Veeam Backup & Replication V11


Userlevel 7
Badge +5
  • Veeam Legend, Veeam Vanguard
  • 79 comments

Good day everyone !

In November 2020 I created a PowerCLI script which creates a vSphere role with cumulative permissions for Veeam Backup & Replication version 10.

In the meantime VBR v11 was released and I needed to update that script and wanted to create “new awareness” of it. The fact that I see A LOT of Administrator@vsphere.local users being used with adding the vCenter to Veeam makes me nervous, that’s why I wanted to fight against this with a simple script so no one needs to manually go through the privileges. Now there is no excuse to use highly privileged user accounts !

This PowerShell / PowerCLI script lets you create a new vCenter server role with all the cumulative privileges and permissions to use them with Veeam Backup & Replication V11.

The privileges used are based on the recommendations out of the Veeam Help Center which you can find here: Cumulative Permission for VMware vSphere – Veeam Help Center

Simply execute the script and follow the steps to fill in the relevant data like your vCenter server name, the username and your password. The script will then ask you to choose a name for your new role and automatically creates it.

The script in action

The script was successfully tested against:

  • VMware vCenter 6.5
  • VMware vCenter 6.7
  • VMware vCenter 7.0

In conjunction with

  • Veeam Backup & Replication v10
  • Veeam Backup & Replication v11

To create this script I went into vSphere and created a new role where I manually clicked all the permission to do this once. After that, you can simply query the privileges (ID’s) of the new role with:

Get-VIPrivilege -Role VeeamV11 | Select-Object ID

What the script does then is having all the privilege ID’s in an array and create the desired role out of these given privilege ID’s.

$VeeamPrivileges = @(
'System.Anonymous',
'System.View',
'System.Read',
'Global.ManageCustomFields',
'Global.SetCustomField',
'Global.LogEvent',
'Global.Licenses',
'Global.Settings',
'Global.DisableMethods',
'Global.EnableMethods',
'Folder.Create',
'Folder.Delete',
'Datastore.Browse',
'Datastore.DeleteFile',
'Datastore.FileManagement',
'Datastore.AllocateSpace',
'Datastore.Config',
'Network.Config',
'Network.Assign',
. and
. so
. on

Using the “New-VIRole” command you can gather all those privileges out of the array and create the role with a simple script.

Due to the fact, that I often implement Veeam infrastructures at my customers I do not want to click the same roles together and that is why I created that script :grinning:

You can read about this on my blog:https://www.virtualhome.blog/2020/04/22/creating-a-vcenter-role-for-veeam-with-powercli/

The script is also online for free at Github: https://github.com/falkobanaszak/vCenter-role-for-Veeam

Furthermore I’d like to add 2 new “functions” to that script in the future, which are:

  • Assign a user to the new role
  • Add some sort of a function to check against an existing role, print the missing privileges and let the user decide to apply the missing privileges to the already existing role

So if anybody wants to participate feel free to fork that repository !

GitHub: https://github.com/falkobanaszak/vCenter-role-for-Veeam

Take care and everyone have a great week !

 


4 comments

Userlevel 7
Badge +3

@falkob : Thanks for sharing the awesome Script !

Userlevel 7
Badge +8

This is an awesome script @falkob and I have given it to our Automation teams to check out too.  We are using  automation for many things now and this works perfectly as I have tested it. Check it out folks. 😎

Userlevel 7
Badge +5

Thank you for sharing @falkob 

Userlevel 7
Badge +3

Thank you for sharing! I can see this being very useful

Comment