How to find out, what are the minimum permissions to run Get-ApplianceBackupJob?
It works for us ONLY for account which is part of the vSphere "Administrators" default group.
There are no predefined groups in vCenters related to these new CmdLets which are able to manage VCSA appliance by login to vSphere domain, without the need to access the VCSA:5480.
And VMware documentation related to permissions vs these kind of special cmdlets is so poor, that one is on his own to do some reverse engineering. The CmdLet has no Verbose parameter.
For account NOT in the local vSphere "Administrators" group, all you get as an error is:
Get-ApplianceBackupJob : 11/25/2022 8:45:00 AM Get-ApplianceBackupJob One or more errors occurred.
At line:1 char:1
+ Get-ApplianceBackupJob
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ApplianceBackupJob], VimException
+ FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.Appliance.Back
up.GetApplianceBackupJob
Afaik, a user that wants to interact with the Appliance needs to be in the Administrators group under Single Sign On - Users and Groups.
There are unfortunately no specific privilege requirements listed under the List Backup Job method in the REST API Reference (which is the actual method this cmdlet uses under the covers).
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Afaik, a user that wants to interact with the Appliance needs to be in the Administrators group under Single Sign On - Users and Groups.
There are unfortunately no specific privilege requirements listed under the List Backup Job method in the REST API Reference (which is the actual method this cmdlet uses under the covers).
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi @Bluetouch
How did you end up proceeding with this? I believe that I am trying to achieve the same thing that you were, which is to monitor the VCSA backup status.
Did you give the user that is connecting with PowerCLI admin permissions?
Thanks
"....Did you give the user that is connecting with PowerCLI admin permissions?" interesting question. No comment.
One very weak workaround is to check on the backup files itself. That gives you some time frame, size, etc., so some idea.
I am not sure what you mean by "No comment". I was simply asking if this is what you ended up doing. I would rather not have to do that.
As for the workaround, I also thought of that option but that would be a last resort scenario. I would prefer to use the tools that are built in VCSA but if there's no way to use them without giving admin permissions, I may not go that route.
Thank you for the reply.
I believe admins should be very caution about what they share regarding their "internal environment configuration", especially when it comes to permissions. One thing is to have technical discussion about technical solutions and possibilities and something else is writing in public "how we have it done in our company", where to what we have granted full admin access, etc.