Sign in Subscribe

Veeam role in ONTAP

Veeam role in ONTAP

If you wish to configure Veeam with NetApp Storage Snapshot integration but want to provide the least amount of privileges, you can create a role with only required permissions on your ONTAP system.

You'll find the requirements on the Veeam website.

NetApp Data ONTAP/Lenovo Thinksystem DM Permissions - Storage System Snapshot Integration Guide
The account used to connect to a NetApp Data ONTAP/Lenovo Thinksystem DM storage system must have permissions described in this section. The commands are provided for the console, UI names may differ. 7-Mode…
Veeam Software Help Center

Veeam Help Center

Based on your own requirements you can choose between several configurations. On my side I will go with the cluster-wide VMware integration.

Now, how to set it up in ONTAP ?

You can create a role by using your cluster shell.

security login role create -vserver <cluster_name> -role veeam -cmddirname "DEFAULT" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "cluster" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "metrocluster" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "vserver fcp" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "volume file" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "lun igroup" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "vserver iscsi" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "network" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "system node" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "security" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "security login" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "set" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "snapmirror" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "system" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "version" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "volume qtree" -access readonly
security login role create -vserver <cluster_name> -role veeam -cmddirname "lun" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "vserver nfs" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "volume snapshot" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "volume" -access all
security login role create -vserver <cluster_name> -role veeam -cmddirname "vserver" -access all

Then create the service account

You can do this by entering this command.

security login create -user-or-group-name svc_veeam -vserver <cluster_name> -application ontapi -authentication-method password

Done.

Veeam is still relying on ONTAPI (ZAPI) at this time which has reached end of availability (EOA) in ONTAP 9.14.1. Hopefully, if you upgrade to 9.14.1 and are using ONTAPI, the feature will remain enabled.

Anyway it is still possible to re-enable ONTAPI through this command.

system services web ontapi modify -suspended false