Define the Permissions for vCenter Roles

When you configure vCenter to manage virtual machines, under most circumstances you set up users or groups with vCenter administrator privileges. This approach helps to ensure that the vCenter accounts have unrestricted access to vCenter functionality and tasks. Optionally, you can create vCenter users and groups that can be used to facilitate only backup operations or only backup and restore operations.

When using vCenter nonadministrative accounts to facilitate backup and restore operations, you create vCenter roles, assign privileges to the roles, and then apply the role to individual users or groups.

Note: As a best practice, VMware recommends that you allow nonadministrative vCenter user accounts to be members of the Windows local administrator group.

Important! The following steps assume that you are familiar with how to configure vCenter users, groups, roles, and permissions. Consult the vCenter documentation as needed.

Follow these steps:

1. Log into vCenter using the VI Client.
2. Open the Add New Roles dialog and specify a name for the role.
3. 
3. Expand All privileges.
4. (Optional) To allow the role to facilitate only backup operations, specify the following privileges:

Important! To allow the role to facilitate backup and restore operations, continue to the next step.

• Expand Virtual machine and Configuration, and specify the following privileges:
  • Disk change tracking
  • Disk Lease
  • Add existing disk
  • Add new disk
  • Add or remove device
  • Change resource
  • Remove Disk
  • Settings
• Expand Virtual machine and Provisioning, and specify the following privileges:
• Allow read-only disk access
• Allow virtual machine download
• Expand Virtual machine and specify the following privileges:
  • vSphere 4: Expand State and specify Create Snapshot and Remove snapshot.
  • vSphere 5: Expand Snapshot management, expand State and then specify Create Snapshot and Remove snapshot.
• Expand Global and specify the following privileges:
  • Disable methods
  • Enable methods
  • Licenses
5. Navigate to Step 7.
6. To allow the role to facilitate backup and restore operations, specify the following privileges:
   • Expand Datastore and specify the following privileges:
   • Allocate space
   • Browse datastore
   • Low level file operations
   • Expand Global and specify the following privileges:
   • Disable methods
   • Enable methods
   • Licenses
   • Expand Host, expand Local Operations, and then specify Reconfigure virtual machine.

   Note: This privilege is only required when you need to perform backup and restore operations using the Hotadd transport mode.

   • Expand Network and specify Assign Network.
   • Expand Resource and click Assign Virtual Machine to resource pool.
   • Expand Virtual machine and Configuration, and specify the following privileges:
   • Add existing disk
   • Add new disk
   • Add or Remove device
   • Advanced
   • Change CPU count
   • Change resource
   • Disk change tracking
   • Disk Lease
   • Host USB device
   • Memory
   • Modify device setting
   • Raw device
   • Reload from path
   • Remove disk
   • Rename
   • Reset guest information
   • Settings
   • Swapfile placement
   • Upgrade virtual hardware
   • Expand Virtual machine and Guest Operations, and specify the following privileges:
   • Guest Operation Modifications
   • Guest Operation Program Execution
   • Guest Operation Queries (vSphere 5)
   • Expand Virtual Machine and Interaction, and specify the following privileges:
   • Power off
   • Power on
   • Expand Virtual machine and Inventory, and specify the following privileges:
   • Create new
   • Register
   • Remove
   • Unregister
   • Expand Virtual machine and Provisioning, and specify the following privileges:
   • Allow disk access
   • Allow read-only disk access
   • Allow virtual machine download
   • Expand Virtual Machine and specify the following privileges:
   • vSphere 4: Expand State and specify Create snapshot, Remove snapshot, and Revert to snapshot.
   • vSphere 5: Expand Snapshot management, expand State, and then specify Create snapshot, Remove snapshot, and Revert to snapshot.
   • vSphere 6: Expand Snapshot management, expand State, and then specify Create snapshot, Remove snapshot, and Revert to snapshot.
7. Click OK to create the role.
8. Open the Assign Permissions dialog to assign the newly created role to users, groups, or both.
9. From the Users and Groups list, select the custom user that you want to use for backups and restores.
10. From the Assigned Role drop-down list, specify that role that you want to apply to the users or groups.
11. Click OK to apply the role to the users or groups.

The permissions are now defined for vCenter roles.