What are the minimum permissions needed to properly backup and restore using vStorage api?

Problem

Problems backing up and restoring VMware virtual machine via vCenter or ESX.  The account used by NetBackup to interface with VMware's vCenter may not have sufficient privileges in the role with the necessary to rights to perform the operations.

Solution

VERITAS recommends cloning the administrator role, and using that for Backup and Restore operations.  This role is guaranteed to have all the necessary privileges to perform the operation in all environments.

The following privileges can be allocated to a role and assigned to the NetBackup user to perform vADP backups and restores.  These are the minimum required permissions that have been found to be sufficient in the tests performed by VERITAS for a basic vSphere environment.  The permissions are best propagated downwards from the root of the vSphere level.  Additional privileges might be required if advanced features are in use.  The content of this document is subject to change.  The account configured in the NetBackup Administration Console -> Media and Device Management  -> Credentials -> NetBackup Virtual Machine Server should be assigned to a role configured as follows at the vSphere level, with the 'Propagate to Child Objects' checkbox checked.

Tested with vSphere 6.0, vSphere 5.5, and vSphere 5.0.  All patches or updates are supported unless otherwise stated.

Datastore        
    Allocate space    
    Browse datastore    
    Configure datastore    
    Low level file operations    
    Update virtual machine files    
    Update virtual machine metadata    
        
Global        
    Cancel task    
    Disable methods    
    Enable methods    
    Global tag    
    Licenses    
    Log event    
    Manage custom attributes    
    Set custom attribute    
    Settings    
        
Host        
    Configuration    
        Advanced settings
        Storage partition configuration
        
Network        
    Assign network    
        
Resource        
    Assign vApp to resouce pool    
    Assign virtual machine to resource pool    
        
Tasks        
    Create task    
    Update task    

vApp    
    Add virtual machine
    Assign resource pool
    Assign vApp
    Create
        
Virtual Machine        
    Configuration    
        Add existing disk
        Add new disk
        Add or remove device
        Advanced
        Change resource
        Disk change tracking
        Disk lease
        Modify device settings
        Raw device
        Remove disk
        Set annotation
        Settings
        Swapfile placement
        Unlock virtual machine
    Interaction    
        Power Off
        Power On
    Inventory    
        Create New
        Create from existing
        Register
        Remove
        Unregister
    Provisioning    
        Allow disk access
        All read-only disk access
        Allow virtual machine download
    Snapshot management(State for vSphere 5.0)    
        Create snapshot
        Remove Snapshot
        Revert to snapshot
        
Inventory Service        
    vSphere Tagging    
        Assign or Unassign vSphere Tag
        
        
For vSphere 5.5 the Inventory Service name differs:        
vCenter Inventory Service        
    vCenter Inventory Service Tagging    
        Assign or Unassign Inventory Service Tag
        
When using the NetBackup Plugin for vCenter the following privileges can be added:        
NetBackup Recovery        
    Add or Remove NetBackup Servers    
    Virtual Machine Recovery    



 

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)