What are the minimum permissions needed to properly backup and restore using vStorage api?

  • Modified Date:
  • Article ID:000007351


Problems backing up and restoring VMware virtual machine via vCenter or ESX.  The account used by NetBackup to interface with VMware's vCenter may not have sufficient privileges in the role with the necessary to rights to perform the operations.


VERITAS recommends cloning the administrator role, and using that for Backup and Restore operations.  This role is guaranteed to have all the necessary privileges to perform the operation in all environments.

The following privileges can be allocated to a role and assigned to the NetBackup user to perform vADP backups and restores.  These are the minimum required permissions that have been found to be sufficient in the tests performed by VERITAS for a basic vSphere environment.  The permissions are best propagated downwards from the root of the vSphere level.  Additional privileges might be required if advanced features are in use.  The content of this document is subject to change.  The account configured in the NetBackup Administration Console -> Media and Device Management  -> Credentials -> NetBackup Virtual Machine Server should be assigned to a role configured as follows at the vSphere level, with the 'Propagate to Child Objects' checkbox checked.

Tested with vSphere 6.0, vSphere 5.5, and vSphere 5.0.  All patches or updates are supported unless otherwise stated.

    Allocate space    
    Browse datastore    
    Configure datastore    
    Low level file operations    
    Update virtual machine files    
    Update virtual machine metadata    
    Cancel task    
    Disable methods    
    Enable methods    
    Global tag    
    Log event    
    Manage custom attributes    
    Set custom attribute    
        Advanced settings
        Storage partition configuration
    Assign network    
    Assign vApp to resouce pool    
    Assign virtual machine to resource pool    
    Create task    
    Update task    

    Add virtual machine
    Assign resource pool
    Assign vApp
Virtual Machine        
        Add existing disk
        Add new disk
        Add or remove device
        Change resource
        Disk change tracking
        Disk lease
        Modify device settings
        Raw device
        Remove disk
        Set annotation
        Swapfile placement
        Unlock virtual machine
        Power Off
        Power On
        Create New
        Create from existing
        Allow disk access
        All read-only disk access
        Allow virtual machine download
    Snapshot management(State for vSphere 5.0)    
        Create snapshot
        Remove Snapshot
        Revert to snapshot
Inventory Service        
    vSphere Tagging    
        Assign or Unassign vSphere Tag
For vSphere 5.5 the Inventory Service name differs:        
vCenter Inventory Service        
    vCenter Inventory Service Tagging    
        Assign or Unassign Inventory Service Tag
When using the NetBackup Plugin for vCenter the following privileges can be added:        
NetBackup Recovery        
    Add or Remove NetBackup Servers    
    Virtual Machine Recovery    


Terms of use for this information are found in Legal Notices.



Did this article answer your question or resolve your issue?


Did this article save you the trouble of contacting technical support?


How can we make this article more helpful?

Email Address (Optional)