Greetings friends, I will start writing a few articles regarding some great functionalities that came in Veeam ONE v12.
For those that are not very familiar with Veeam ONE yet, Veeam ONE is a powerful monitoring, reporting, and observability tool that offers multi-tenant access, allowing multiple users to simultaneously access its features and manage their respective virtual environments using Veeam ONE Web Client, and Veeam ONE Client.
This level of access provides flexibility and convenience for organizations managing resources across different business units or organizations. However, there might be situations where disabling multi-tenant access is necessary for security or management purposes. In this blog post, we will discuss the new functionality that disables Veeam ONE multi-tenant access and the impact it has on user authentication.
Why disabling Multi-Tenant Access in Veeam ONE?
There could be several reasons for disabling multi-tenant access in Veeam ONE, some of the ones we hear the most are:
- Strengthening security by restricting access to sensitive infrastructure data and limiting the scope of virtual infrastructure objects. As by default, Veeam ONE will ask vSphere for the privilege the logged user has to the VMs, Hosts, etc.
- Meeting regulatory or compliance requirements that mandate restricted access to certain data or resources.
Disabling Multi-Tenant Access: What Happens Next?
When multi-tenant access is explicitly disabled, Veeam ONE’s authentication will be restricted to three local groups:
- Veeam ONE Administrators: Members of this group can access monitoring data, generate reports, and modify all Veeam ONE configuration settings. The Veeam ONE service account must be included in this group.
- Veeam ONE Power Users: Members of this group have read access to monitoring data and can generate reports, but do not have access to Veeam ONE configuration settings.
- Veeam ONE Read-Only Users: Members of this group can generate reports and access monitoring data in read-only mode, but cannot modify any Veeam ONE configuration settings.
In order to disable Veeam ONE Multi-Tenant access, it will be as simple as going to Server Settings > Other, finding the option, and enabling it:
Impact on User Access and Permissions
By disabling multi-tenant access, organizations can achieve tighter control over their virtual infrastructure, with a more streamlined approach to managing permissions. This change means that users will no longer be able to monitor and report on systems owned by their specific business units or organizations, as was possible with multi-tenant access enabled. Instead, permissions will be limited to the three local groups mentioned above, simplifying access control while maintaining data security.
For example, this is how a user with Domain Admin privileges, and even vSphere Administrator privileges, but not Veeam ONE access at all, will see after introducing his user/pass:
As you can see it is now very strict, and the user, or group, will need to be added to one of the Veeam ONE groups mentioned above.
Quick words to finish
The new functionality to disable multi-tenant access in Veeam ONE is a valuable addition for organizations seeking greater control over their virtual infrastructure and data security. By restricting access to three local groups, this feature simplifies management while maintaining the ability to monitor and generate reports. Whether for security, compliance, or management reasons, disabling multi-tenant access in Veeam ONE v12 offers a streamlined and secure solution for your Data Platform monitoring, and reporting.
Leave a Reply