Permissions for Host-based Agentless Backup and Virtual Standby at vCenter Server Level

When you configure vCenter to manage virtual machines, generally you set up users or groups with vCenter administrator privileges. This approach helps to ensure that the vCenter accounts have unrestricted access to vCenter functionality and tasks. Optionally, you can create vCenter users and groups that can be used to facilitate only backup operations or only backup and restore operations.

When using vCenter non-administrative accounts to facilitate backup and restore operations, you create vCenter roles, assign privileges to the roles, and then apply the role to individual users or groups.

Note: As a best practice, VMware recommends that you allow non-administrative vCenter user accounts to be members of the Windows local administrator group.

Important! The following steps assume that you are familiar with how to configure vCenter users, groups, roles, and permissions. Consult the vCenter documentation as needed.

Follow these steps:

1. Log in to vCenter using the VI Client.
2. Open the Add New Roles dialog and specify a name for the role.



3. Expand All privileges.
4. (Optional) To allow the role to facilitate only backup operations, specify the following privileges:

Important! To allow the role to facilitate backup and restore operations, continue to the next step.

• Expand Virtual machine and Configuration, and specify the following privileges:
• Disk change tracking
• Disk Lease
• Add existing disk
• Add new disk
• Add or remove device
• Change resource
• Remove Disk
• Settings
• Expand Virtual machine and Provisioning, and specify the following privileges:
• Allow read-only disk access
• Allow virtual machine download
• Expand Virtual machine and specify the following privileges:
• vSphere 4: Expand State and specify Create snapshot, Remove snapshot, and Revert to snapshot.
• vSphere 5: Expand Snapshot management, expand State, and then specify Create snapshot, Remove snapshot, and Revert to snapshot.
• Expand Global and specify the following privileges:
• Disable methods
• Enable methods
• Licenses
• Go to Step 6.
5. To allow the role to facilitate backup and restore operations, specify the following privileges:
• Expand Datastore and specify the following privileges:
• Allocate space
• Browse datastore
• Low level file operations
• Expand Global and specify the following privileges:
• Disable methods
• Enable methods
• Licenses
• Expand Host, expand Local Operations, and then specify Reconfigure virtual machine.

Note: This privilege is only required when you need to perform backup and restore operations using the HotAdd transport mode.

• Expand Network and specify Assign Network.
• Expand Resource and click Assign Virtual Machine to resource pool.
• Expand Virtual machine and Configuration, and specify the following privileges:
• Add existing disk
• Add new disk
• Add or Remove device
• Advanced
• Change CPU count
• Change resource
• Disk change tracking
• Disk Lease
• Host USB device
• Memory
• Modify device setting
• Raw device
• Reload from path
• Remove disk
• Rename
• Reset guest information
• Settings
• Swapfile placement
• Upgrade virtual hardware
• Expand Virtual machine and Guest Operations, and specify the following privileges:
• Guest Operation Modifications
• Guest Operation Program Execution
• Guest Operation Queries (vSphere 5)
• Expand Virtual Machine and Interaction, and specify the following privileges:
• Power off
• Power on
• Expand Virtual machine and Inventory, and specify the following privileges:
• Create new
• Register
• Remove
• Unregister
• Expand Virtual machine and Provisioning, and specify the following privileges:
• Allow disk access
• Allow read-only disk access
• Allow virtual machine download
• Expand Virtual Machine and specify the following privileges:
• vSphere 4: Expand State and specify Create snapshot, Remove snapshot, and Revert to snapshot.
• vSphere 5: Expand Snapshot management, expand State, and then specify Create snapshot, Remove snapshot, and Revert to snapshot.
• Expand Profile-driven storage and specify the following privileges:
• Profile-driven storage update
• Profile-driven storage view
6. Click OK to create the role.
7. Open the Assign Permissions dialog, to assign the newly created role to users, groups, or both.



8. From the Users and Groups list, select the custom user that you want to use for backups and restores.
9. From the Assigned Role drop-down list, specify the role that you want to apply to the users or groups.
9. Click OK to apply the role to the users or groups.

Notes:

• To backup and restore virtual machines in the VMware vSphere environment, make sure to set the following permissions for the corresponding account at the vCenter Server level:
• Disable Methods
• Enable Methods
• Licenses
• You can allow the following cryptographic permissions to create and edit tag categories only at the root level:
• Add disk
• Direct Access
• Encrypt
• Encrypt new
• Migrate

The permissions are now defined for vCenter roles.