I have created a Role ('Veeam User') containing all of the specific privileges defined in: http://veeampdf.s3.amazonaws.com/guide/veeam_backup_8_permissions.pdf
- I have created a Permission and assigned the Role of Veeam User to a user (without propagation) at the vCenter, Datacenter, Cluster and ESXi Host levels.
- I have created a Permission and assigned the Role of Administrator to a user (allowing propagation) at the Resource Pool, Folder, Network and Datastore levels.
In this scenario using the vSphere Client(s) the named user to access specific resources to which they have been assigned and perform just about any operation required, without exposing resources (Datastores or VMs) to which that user is not entitled. This works perfectly from a vSphere perspective and allows us to separate users/departments.
Unfortunately, Veeam fails part way through the replication process with the cryptic message 'Permission to perform this operation denied.' Using the named user, Veeam is able to add the vCenter, create the job, run the job, create the replica container, but seems to fail at the point it tries to create the 'helper snapshot,' which is the working snapshot on the replica side. There are no visible errors in vSphere Tasks & Events or logs.
Incidentally, if I allow the Veeam user to propagate from the vCenter level, the job functions flawlessly, but the user is able to see and select resources like Datastores to which they are not authorized!
Any help immensely appreciated!
See also my post on Veeam: Veeam permissions on vSphere | view topic