VMware Cloud Community
Bluetouch
Contributor
Contributor
Jump to solution

Minimum permissions to run Get-ApplianceBackupJob in PowerCLI

How to find out, what are the minimum permissions to run Get-ApplianceBackupJob?

It works for us ONLY for account which is part of the vSphere "Administrators" default group.

There are no predefined groups in vCenters related to these new CmdLets which are able to manage VCSA appliance by login to vSphere domain, without the need to access the VCSA:5480.

And VMware documentation related to permissions vs these kind of special cmdlets is so poor, that one is on his own to do some reverse engineering. The CmdLet has no Verbose parameter.

For account NOT in the local vSphere "Administrators" group, all you get as an error is:

Get-ApplianceBackupJob : 11/25/2022 8:45:00 AM Get-ApplianceBackupJob One or more errors occurred.
At line:1 char:1
+ Get-ApplianceBackupJob
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ApplianceBackupJob], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Appliance.Back
up.GetApplianceBackupJob

 

Labels (5)
Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

Afaik, a user that wants to interact with the Appliance needs to be in the Administrators group under Single Sign On - Users and Groups.

There are unfortunately no specific privilege requirements listed under the List Backup Job method in the REST API Reference (which is the actual method this cmdlet uses under the covers).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

5 Replies
LucD
Leadership
Leadership
Jump to solution

Afaik, a user that wants to interact with the Appliance needs to be in the Administrators group under Single Sign On - Users and Groups.

There are unfortunately no specific privilege requirements listed under the List Backup Job method in the REST API Reference (which is the actual method this cmdlet uses under the covers).


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

noct03
Contributor
Contributor
Jump to solution

Hi @Bluetouch 

How did you end up proceeding with this? I believe that I am trying to achieve the same thing that you were, which is to monitor the VCSA backup status.

Did you give the user that is connecting with PowerCLI admin permissions?

 

Thanks

Reply
0 Kudos
Bluetouch
Contributor
Contributor
Jump to solution

"....Did you give the user that is connecting with PowerCLI admin permissions?"  interesting question. No comment.

One very weak workaround is to check on the backup files itself. That gives you some time frame, size, etc., so some idea.

Reply
0 Kudos
noct03
Contributor
Contributor
Jump to solution

I am not sure what you mean by "No comment". I was simply asking if this is what you ended up doing. I would rather not have to do that.

As for the workaround, I also thought of that option but that would be a last resort scenario. I would prefer to use the tools that are built in VCSA but if there's no way to use them without giving admin permissions, I may not go that route.

Thank you for the reply.

Reply
0 Kudos
Bluetouch
Contributor
Contributor
Jump to solution

I believe admins should be very caution about what they share regarding their "internal environment configuration", especially when it comes to permissions. One thing is to have technical discussion about technical solutions and possibilities and something else is writing in public "how we have it done in our company", where to what we have granted full admin access, etc.

Reply
0 Kudos