You can create a separate user account in vSphere for backup and restore operations.
When you create a user account, the following system permissions are automatically added to the account:
|
Category |
Permission |
|---|---|
|
System |
|
If you are creating a user account other than administrator, you can assign permissions to the role that is associated with the user account. The following tables show which vCenter permissions are required (√) for each Commvault role or component.
The vCenter user account must have permissions on the vCenter, datacenter, ESX server, resource pool, VM folder, and virtual machine levels for any virtual machines to be backed up and restored. The backup for a virtual machine fails if the user does not have permission on the vCenter, datacenter, and ESX server where the virtual machine resides. When you assign a user and role for a specific entity, select the option to propagate permissions to child objects, so that operations for virtual machines that use those entities are successful.
To ensure that backups and restores are successful, use the vSphere Client or Web Client to assign user permissions on each required entity.
To hide resources from a user, you can assign a "No access" user role to the entity.
To enable restores, assign both backup and restore permissions for the type of restore (from streaming or IntelliSnap backups).
By default, the following tables display settings for vSphere 7.0, but differences for earlier versions of vSphere are noted. Settings that are not available in vSphere 4.1 might be needed for features that require vSphere 5.0 or a more recent version.
When using VM File Recovery Plug-In, VM Provisioning, or Live Mount, assign permissions that are required for backups or restores and permissions for using that feature.
Live Recovery operations that use a File Recovery Enabler for Linux require the same permissions as IntelliSnap operations.
Disclaimer
The guidance in this topic is derived from information in vSphere Security: ESXi 6.0 and vCenter Server 6.0 and is updated through vSphere 7.0. For detailed and current information about vSphere privileges and permissions, refer to the appropriate VMware documentation. Commvault is not responsible for, and does not validate or confirm, the correctness or accuracy of any information provided here. All content in this section is provided "AS IS" and is not warranted by Commvault in any way.
Alarms Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Acknowledge alarm Required for vCenter 6.0 or later, to enable suppression of actions on triggered alarms. |
|
|
||||||
|
Set alarm status Required for vCenter 6.0 or later, to change the status of a configured alarm for an event. |
|
|
||||||
Cryptographic Operations Permissions
To back up and restore virtual machines using VMware VM-level encryption, the user account for the vCenter virtualization client must have the following permissions:
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Add Disk |
|
|
|
|
|
|
||
|
Direct Access |
|
|
||||||
|
Encrypt |
|
|
|
|
|
|
||
Datastore Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Allocate space Required to allocate space for a virtual machine, snapshot, clone, or virtual disk. |
|
|
|
|
|
|||
|
Browse datastore Required to browse files on a datastore. Used to locate VM files on disk and verify that files exist. |
|
|
|
|
|
|||
|
Configure datastore Required to configure a datastore. |
|
|
|
|||||
|
Low level file operations Required to perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files. |
|
|
|
|
|
|||
|
Remove datastore (deprecated) Required to remove a datastore. The user or group privilege must be set for both the object and its parent object. |
|
|
|
|||||
|
Rename datastore Required to change the name of a datastore. |
|
|
||||||
|
Remove file (deprecated; use Low level file operations) Required to delete files in the datastore. |
|
|||||||
|
Update virtual machine files Required to update virtual machine file paths on a datastore after a datastore resignature operation. |
|
|
|
|||||
Extension Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Register extension Required to register a plug-in. |
|
|
|
|||||
|
Unregister extension Required to unregister a plug-in. |
|
|||||||
|
Update extension Required to update a plug-in. |
|
|||||||
Global Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Cancel task Required to cancel a running or queued task; used to cancel a relocation task if a restore job is killed. |
|
|
||||||
|
Diagnostics Required to get lists of diagnostic files, log headers, binary files, or diagnostic bundles. For security, limit this privilege to the vCenter Server Administrator role. |
|
|||||||
|
Disable methods Required to disable specific operations on vCenter entities. |
|
|
|
|
||||
|
Enable methods Required to enable specific operations on vCenter entities. |
|
|
|
|
||||
|
Licenses Required to view installed licenses and to add or remove licenses. |
|
|
|
|
||||
|
Log event Required to enable logging of user-defined events against a managed entity. |
|
|||||||
|
Manage custom attributes Required to add, remove, or rename custom field definitions. |
|
|
|
|
||||
|
Set custom attribute Required to view, create, or remove custom attributes for a managed entity. |
|
|
|
|
|
|||
Host - Configuration Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Advanced settings For live file recovery, Commvault software increases the NFS heartbeat timeout and the Max failures setting for additional resilience when mounting the datastore on the ESX server. |
|
|
||||||
|
Connection Required to change the connection status of a host (connected or disconnected). Used to confirm whether the ESX host is connected within the vCenter inventory. |
|
|
||||||
|
Network configuration Required to modify network, firewall or vMotion network settings. Used to configure destination network. |
|
|||||||
|
Storage partition configuration Required for management of VMFS datastores and diagnostic partitions. This privilege enables users to scan for new storage devices and manage iSCSI. Used to rescan and check for new VMFS partitions and HBAs, and to refresh the datastore list when mounting a datastore to the ESX server during IntelliSnap operations. |
|
|
||||||
|
System Management Used to download VM configuration files directly from an ESX host. (If files cannot be downloaded directly, they are accessed through the vCenter.) |
|
|
|
|
||||
Network Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Assign network Required to assign a network to a virtual machine. Used to create a virtual machine on a network. |
|
|
|
|||||
Profile-driven storage Permissions
Required for vCenter 6.0 or later, to restore VM storage policies as part of a full VM restore.
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Profile-driven storage update Required to create and update storage capabilities and virtual machine storage profiles. |
|
|
||||||
|
Profile-driven storage view Required to view storage capabilities and storage profiles. |
|
|
||||||
Resource Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Assign vApp to resource pool Required to assign a vApp to a resource pool during restores. |
|
|
||||||
|
Assign virtual machine to resource pool Required to assign a virtual machine to a resource pool. Required when registering a virtual machine to a resource pool during backups or when restoring to a resource pool. |
|
|
|
|
|
|||
|
Migrate powered on virtual machine Required to use vMotion to migrate a powered on virtual machine to a different resource pool or host. |
|
|
||||||
|
Migrate powered off virtual machine ("Migrate" in vSphere 4.1) Required to use vMotion to migrate a powered off virtual machine to a different resource pool or host. |
|
|
|
|||||
vApp Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Import Required to import a vApp into vSphere. |
|
|||||||
|
vApp application configuration Required to modify vApp application properties; used when reconfiguring an existing File Recovery Enabler for Linux. |
|
|||||||
|
vApp instance configuration Required to modify a vApp instance; used when reconfiguring an existing File Recovery Enabler for Linux. |
|
|||||||
Virtual machine - Change Configuration Permissions
This category was formerly called "Virtual machine - Configuration."
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Acquire Disk lease (formerly "Disk lease") Required to perform disk lease operations for a virtual machine. |
|
|
|
|
||||
|
Add existing disk Required to add an existing virtual disk to a virtual machine. |
|
|
|
|
|
|||
|
Add new disk Required to create a new virtual disk to add to a virtual machine. |
|
|
|
|
|
|||
|
Add or remove device Required to add or remove any non-disk device. Used to add a SCSI controller or to restore non-disk device configuration. |
|
|
|
|
|
|||
|
Advanced configuration (formerly "Advanced") Required to add or modify advanced parameters in a virtual machine configuration file. |
|
|
|
|
||||
|
Change CPU count Required to change the number of virtual CPUs during restores. |
|
|
|
|||||
|
Change Memory (formerly "Memory") Required to change the amount of memory allocated to a virtual machine. |
|
|
|
|||||
|
Change resource Required to change the resource configuration of a set of virtual machine nodes in a given resource pool. |
|
|
|
|
|
|||
|
Change Settings (formerly "Settings") Required to change general virtual machine settings. |
|
|
|
|
|
|||
|
Change Swapfile placement (formerly "Swapfile placement") Required to change the swapfile placement policy for a virtual machine. |
|
|
|
|||||
|
Configure Host USB device (formerly "Host USB device") Required to attach a host-based USB device to a virtual machine. |
|
|
||||||
|
Configure managedBy Marks a virtual machine as being managed by Commvault during a restore. |
|
|
||||||
|
Configure Raw device (formerly "Raw device") Required to add or remove a raw disk mapping or SCSI pass through device (overrides other privileges for modifying raw devices, including connection states). |
|
|
|
|||||
|
Display connection settings (not in vSphere 4.1) Required to configure virtual machine remote console options. |
|
|||||||
|
Extend virtual disk Required to expand the size of a virtual disk. |
|
|
|
|||||
|
Modify device settings Required to change the properties of an existing device. |
|
|
|
|||||
|
Reload from path Required to change a virtual machine configuration path while preserving the identity of the virtual machine; used during failover and failback operations. |
|
|
|
|||||
|
Remove disk Required to remove a virtual disk. |
|
|
|
|
|
|||
|
Rename Required to rename a virtual machine or modify notes for a virtual machine. |
|
|
|
|
|
|||
|
Reset guest information Required to edit the guest operating system information for a virtual machine. |
|
|
|
|||||
|
Set annotation (not in vSphere 4.1) Required to add or edit a virtual machine annotation. Used to set up a backup server annotation that records last backup times for target VMs in vSphere. |
|
|
|
|
|
|||
|
Toggle Disk change tracking (formerly "Disk change tracking") Required to enable or disable change tracking for virtual machine disks. |
|
|
|
|
||||
|
Unlock virtual machine (only required for vCenter 6.0 or earlier versions) Required to decrypt a virtual machine. |
|
|||||||
|
Upgrade virtual machine compatibility ("Upgrade virtual hardware" in vSphere 4.1) Required to upgrade a virtual machine's compatibility version (virtual hardware version). |
|
|
|
|||||
Virtual Machine - Edit Inventory Permissions
This category was formerly called "Virtual Machine - Inventory."
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Create new Required to create and allocate resources for a virtual machine. |
|
|
|
|||||
|
Create from existing Required to create a virtual machine, by cloning an existing virtual machine or by deploying from a template. |
|
|||||||
|
Move Required to relocate a virtual machine in the hierarchy. The privilege must be set for both the source and the destination. |
|
|
||||||
|
Register Required to add an existing virtual machine to a vCenter Server or host inventory. Required for IntelliSnap backups with metadata collection enabled, and to register a restored VM with the vCenter or host. |
|
|
|
|||||
|
Remove Required to delete a virtual machine and remove the underlying files from disk. The user or group privilege must be set for both the object and its parent object. Required for IntelliSnap backups with metadata collection enabled. |
|
|
|
|
|
|||
|
Unregister Required to unregister a virtual machine from a vCenter Server or host inventory. The user or group privilege must be set for both the object and its parent object. Required for IntelliSnap backups with metadata collection enabled, and to unregister a VM so that it can be registered to a different location. |
|
|
|
|||||
Virtual Machine - Guest Operations Permissions (Not in vSphere 4.1)
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Guest Operation Modifications Required to perform virtual machine guest operations that modify the guest operating system, such as transferring a file to the virtual machine or restoring files to a target VM that does not have a file system agent installed. |
|
|
|
|||||
|
Guest Operation Program Execution Required to perform virtual machine guest operations that execute a program in the virtual machine, such as a restore command. |
|
|
|
|||||
|
Guest Operation Queries Required to perform virtual machine guest operations that query the guest operating system, such as listing files in the guest operating system. Used when the target VM does not have a file system agent installed. |
|
|
|
|||||
Virtual Machine - Interaction Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Connect devices (formerly "Device connection") Required to change the connected state of virtual machine devices that can be disconnected. |
|
|
|
|||||
|
Power Off Required to power off the guest operating system of a powered on virtual machine. Used when restoring data to VMDKs. |
|
|
|
|
|
|||
|
Power On Required to power on a powered off virtual machine or resume a suspended virtual machine. |
|
|
|
|
||||
|
Reset Required to reset a virtual machine and reboot the guest operating system. |
|
|||||||
|
Suspend Required to suspend a powered on virtual machine and put the guest in standby mode. |
|
|||||||
Virtual Machine - Provisioning Permissions
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Allow disk access Required to open a disk on a virtual machine for random read and write access. Used for remote disk mounting and restoring data. |
|
|
|
|||||
|
Allow read-only disk access Required to open a disk on a virtual machine for random read access; used for remote disk mounting. |
|
|
|
|
|
|||
|
Allow virtual machine download Required for read operations on files associated with a virtual machine, including vmx, disks, logs, and NVRAM. |
|
|
|
|
|
|||
|
Clone template Required to clone a template. |
|
|||||||
|
Clone virtual machine Required to clone an existing virtual machine and allocate resources. Used to create a linked clone from a source VM snapshot during backup. |
|
|
|
|
|
|||
|
Customize guest (formerly "Customize") Required to customize a virtual machine's guest operating system without moving the virtual machine. |
|
|||||||
|
Deploy template Required to deploy a virtual machine from a template. |
|
|||||||
|
Mark as template Required to mark an existing powered off virtual machine as a template. Used to restore a virtual machine template. |
|
|
||||||
|
Mark as virtual machine Required to mark an existing template as a virtual machine. |
|
|||||||
|
Modify customization specification Required to create, modify, or delete customization specifications. |
|
|||||||
|
Promote disks Required to promote operations on virtual machine disks. |
|
|||||||
|
Read customization specifications Required to read a customization specification. |
|
|||||||
Virtual machine - Snapshot management Permissions ("Virtual machine - State" in vSphere 4.1)
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Create snapshot Required to create a snapshot from a virtual machine's current state. |
|
|
|
|
|
|||
|
Remove Snapshot Required to remove a snapshot from the snapshot history. |
|
|
|
|
|
|||
|
Rename Snapshot Required to change the name or description of a snapshot. |
|
|||||||
|
Revert to snapshot Required to set a virtual machine to the state it was in for a specified snapshot. |
|
|
|
|||||
vSphere Tagging Permissions
Required for vCenter 6.5 or later, to restore tags as part of a full VM restore.
|
Permissions |
Streaming |
IntelliSnap and Live Recovery |
Streaming and IntelliSnap |
VM Lifecycle Management Provisioning |
Live Mount |
|||
|---|---|---|---|---|---|---|---|---|
|
Backups and VM Archiving |
Restores and Live Sync |
Backups |
Restores and Live Sync |
Deploy File Recovery Enabler for Linux |
VM File Recovery Plug-In |
|||
|
Assign or Unassgn vSphere Tag Required to change the assignment of a tag for an object in the vCenter Server inventory. |
|
|
||||||
|
Create vSphere Tag Required to create a tag for a restored VM. |
|
|
||||||
|
Create vSphere Tag Category Required to create a tag category. |
|
|
||||||
|
Edit vSphere Tag Required to edit a tag. |
|
|
||||||
|
Edit vSphere Tag Category Required to edit a tag category. |
|
|
||||||
|
Modify UsedBy Field For Category Required to modify the UsedBy field for a tag category. |
|
|
||||||
|
Modify UsedBy Field For Tag Required to modify the UsedBy field for a tag. |
|
|
||||||