What are the minimum permissions needed to properly backup and restore using vStorage api?

Article: 100001960
Last Published: 2023-04-27
Ratings: 31 6
Product(s): NetBackup & Alta Data Protection


Problems backing up and restoring VMware virtual machine via vCenter or ESX.  The account used by NetBackup to interface with VMware's vCenter may not have sufficient privileges in the role with the necessary to rights to perform the operations.


VERITAS recommends cloning the administrator role, and using that for Backup and Restore operations.  This role is guaranteed to have all the necessary privileges to perform the operation in all environments.

The following privileges can be allocated to a role and assigned to the NetBackup user to perform vADP backups and restores.  These are the minimum required permissions that have been found to be sufficient in the tests performed by VERITAS for a basic vSphere environment.  The permissions are best propagated downwards from the root of the vSphere level.  Additional privileges might be required if advanced features are in use.  The content of this document is subject to change.  The account configured in the NetBackup Administration Console -> Media and Device Management  -> Credentials -> NetBackup Virtual Machine Server should be assigned to a role configured as follows at the vSphere level, with the 'Propagate to Child Objects' checkbox checked.

Tested with vSphere 8.0, 7.0, 6.7, 6.5, 6.0, vSphere 5.5, and vSphere 5.0.  
All patches or updates are supported unless otherwise stated.

Cryptographics Operations       
    Direct Access
    Encrypt New

    Allocate space    
    Browse datastore    
    Configure datastore    
    Low level file operations    
    Update virtual machine files    
    Update virtual machine metadata    
    Cancel task    
    Disable methods    
    Enable methods    
    Global tag     
    Log event    
    Set custom attribute      
            Advanced settings
            Storage partition configuration
    Assign network    
    Assign vApp to resouce pool    
    Assign virtual machine to resource pool    
    Create task    
    Update task    


    Add virtual machine
    Assign resource pool
    Power off
    Power on 

Virtual Machine        
    Change Configuration     
            Acquire Disk Lease
            Add existing disk
            Add new disk
            Add or remove device
            Change Settings
            Change Swapfile placement
            Change resource
            Configure Raw device
            Modify device settings
            Remove disk
            Set annotation
            Toggle Disk Change Tracking

    Edit Inventory    
            Create from existing
            Create New

            Power Off
            Power On

            Allow disk access
            All read-only disk access
            Allow virtual machine download

    Snapshot management
            Create snapshot
            Remove Snapshot
            Revert to snapshot

vSphere Tagging
    Assign or Unassign vSphere Tag        
When using the NetBackup Plugin for vCenter the following privileges can be added:        

NetBackup Recovery        
    Add or Remove NetBackup Servers    
    Virtual Machine Recovery    

For vSphere 5.5 the Inventory Service name differs:
vCenter Inventory Service        
     vCenter Inventory Service Tagging     
        Assign or Unassign Inventory Service Tag

If you are using VMware Agentless recovery feature in 8.2.x or higher, then verify the following credentials are added:

Virtual Machine        
    Guest Operations     
            Guest operation queries
            Guest operation modifications
            Guest operation program execution

Virtual Machine
    Change Configuration 
            Remove disk


Was this content helpful?