Permissions for Custom User Accounts

You can create a separate user account in vSphere for backup and restore operations. When you create a user account, the following system permissions are automatically added to the account:

Category Permission
System Anonymous

Read

View

If you are creating a user account other than administrator, permissions can be assigned to the role associated with the user account. The following table shows which vCenter permissions are required (√) for each SnapProtect role or component.

  • To enable restores, assign both backup and restore permissions for the type of restore (from streaming or SnapProtect backups).
  • By default this list shows settings for vSphere 5.x; but differences for vSphere 4.1 are noted. Settings that are not available in vSphere 4.1 may be needed for features that require vSphere 5.0 or greater.
  • When using VM File Recovery Plug-In, VM Provisioning, or Live Mount, assign any required permissions for backups or restores as well as permissions for using that feature.
  • Live Recovery operations using a File Recovery Enabler for Linux require the same permissions as SnapProtect operations.

Assign permissions for the following categories:

Disclaimer: The guidance here is derived from information published in vSphere Security: ESXi 6.0 and vCenter Server 6.0. For detailed and current information about vSphere privileges and permissions, refer to the appropriate VMware documentation. Commvault is not responsible for, and does not validate or confirm, the correctness or accuracy of any information provided here. All content in this section is provided "AS IS" and is not warranted by Commvault in any way.

Datastore Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Allocate space

Required to allocate space for a virtual machine, snapshot, clone, or virtual disk.

 
Browse datastore

Required to browse files on a datastore. Used to locate VM files on disk and verify that files exist.

 
Configure datastore

Required to configure a datastore.

 
Low level file operations

Required to perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files.

 
Remove datastore

(deprecated) Required to remove a datastore. The user or group privilege must be set for both the object and its parent object.

 
Rename datastore

Required to change the name of a datastore.

 
Remove file

(deprecated; use Low level file operations) Required to delete files in the datastore.

 
Update virtual machine files

Required to update virtual machine file paths on a datastore after a datastore resignature operation.

 

Extension Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Register extension

Required to register a plug-in.

 
Unregister extension

Required to unregister a plug-in.

 
Update extension

Required to update a plug-in.

 

Global Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Cancel task

Required to cancel a running or queued task; used to cancel a relocation task if a restore job is killed.

 
Diagnostics

Required to get lists of diagnostic files, log headers, binary files, or diagnostic bundles. For security, limit this privilege to the vCenter Server Administrator role.

 
Disable methods

Required to disable specific operations on vCenter entities.

 
Enable methods

Required to enable specific operations on vCenter entities.

 
Licenses

Required to view installed licenses and to add or remove licenses.

 
Log event

Required to enable logging of user-defined events against a managed entity.

 
Manage custom attributes

Required to add, remove, or rename custom field definitions. Used with the EnableUUID attribute to enable application-consistent quiescing.

 
Set custom attribute 

Required to view, create, or remove custom attributes for a managed entity. Used with the EnableUUID attribute to enable or disable application-consistent quiescing.

 

Host - Configuration Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Advanced settings

Required to set advanced options for host configurations. For live file recovery, Commvault software increases the NFS heartbeat timeout and the Max failures setting for additional resilience when mounting the datastore on the ESX server.

 
Connection

Required to change the connection status of a host (connected or disconnected). Used to confirm whether the ESX host is connected within the vCenter inventory.

 
Storage partition configuration 

Required for management of VMFS datastores and diagnostic partitions. This privilege enables users to scan for new storage devices and manage iSCSI. Used to rescan and check for new VMFS partitions and HBAs, and to refresh the datastore list when mounting a datastore to the ESX server during SnapProtect operations.

 
System Management

Required to manipulate files on the host. Used to enable CBT in the VMX file and to make changes to the VMX file during restores.

 

Network Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Assign network

Required to assign a network to a virtual machine. Used to create a virtual machine on a network.

     

Resource Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Assign vApp to resource pool 

Required to assign a vApp to a resource pool during restores.

   
Assign virtual machine to resource pool

Required to assign a virtual machine to a resource pool. Required when registering a virtual machine to a resource pool during backups or when restoring to a resource pool.

√ (VM Archiving)  
Migrate powered on virtual machine

Required to use vMotion to migrate a powered on virtual machine to a different resource pool or host.

   
Migrate powered off virtual machine ("Migrate" in vSphere 4.1) 

Required to use vMotion to migrate a powered off virtual machine to a different resource pool or host.

 

vApp Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Import

Required to import a vApp into vSphere.

 
vApp application configuration

Required to modify vApp application properties; used when reconfiguring an existing File Recovery Enabler for Linux.

             
vApp instance configuration

Required to modify a vApp instance; used when reconfiguring an existing File Recovery Enabler for Linux.

             

Virtual machine - Configuration Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Add existing disk

Required to add an existing virtual disk to a virtual machine.

 
Add new disk

Required to create a new virtual disk to add to a virtual machine.

 
Add or remove device

Required to add or remove any non-disk device. Used to add a SCSI controller or to restore non-disk device configuration.

 
Advanced

Required to add or modify advanced parameters in a virtual machine configuration file.

 
Change CPU count

Required to change the number of virtual CPUs during restores.

 
Change resource

Required to change the resource configuration of a set of virtual machine nodes in a given resource pool.

 
Disk change tracking 

Required to enable or disable change tracking for virtual machine disks.

 
Disk lease

Required to perform disk lease operations for a virtual machine.

 
Display connection settings (not in vSphere 4.1)

Required to configure virtual machine remote console options.

 
Extend virtual disk

Required to expand the size of a virtual disk.

 
Host USB device

Required to attach a host-based USB device to a virtual machine.

 
Memory

Required to change the amount of memory allocated to a virtual machine.

 
Modify device settings

Required to change the properties of an existing device.

 
Raw device

Required to add or remove a raw disk mapping or SCSI pass through device (overrides other privileges for modifying raw devices, including connection states).

 
Reload from path

Required to change a virtual machine configuration path while preserving the identity of the virtual machine; used during failover and failback operations.

 
Remove disk

Required to remove a virtual disk.

 
Rename

Required to rename a virtual machine or modify notes for a virtual machine.

 
Reset guest information

Required to edit the guest operating system information for a virtual machine.

 
Set annotation (not in vSphere 4.1)

Required to add or edit a virtual machine annotation. Used to set up a backup server annotation that records last backup times for target VMs in vSphere.

 
Settings

Required to change general virtual machine settings.

 
Swapfile placement

Required to change the swapfile placement policy for a virtual machine.

 
Unlock virtual machine

Required to decrypt a virtual machine.

 
Upgrade virtual machine compatibility ("Upgrade virtual hardware" in vSphere 4.1)

Required to upgrade a virtual machine’s compatibility version (virtual hardware version).

 

Virtual Machine - Guest Operations Permissions (Not in vSphere 4.1)

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Guest Operation Modifications

Required to perform virtual machine guest operations that modify the guest operating system, such as transferring a file to the virtual machine or restoring files to a target VM that does not have a file system agent installed.

 
Guest Operation Program Execution

Required to perform virtual machine guest operations that execute a program in the virtual machine, such as a restore command.

 
Guest Operation Queries

Required to perform virtual machine guest operations that query the guest operating system, such as listing files in the guest operating system. Used when the target VM does not have a file system agent installed.

 

Virtual Machine - Interaction Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Device connection

Required to change the connected state of virtual machine devices that can be disconnected.

         
Power Off

Required to power off the guest operating system of a powered on virtual machine. Used when restoring data to VMDKs.

√ (VM Archiving)  
Power On

Required to power on a powered off virtual machine or resume a suspended virtual machine.

 
Reset

Required to reset a virtual machine and reboot the guest operating system.

 
Suspend

Required to suspend a powered on virtual machine and put the guest in standby mode.

 

Virtual Machine - Inventory Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Create new

Required to create and allocate resources for a virtual machine.

 
Create from existing

Required to create a virtual machine, by cloning an existing virtual machine or by deploying from a template.

 
Move

Required to relocate a virtual machine in the hierarchy. The privilege must be set for both the source and the destination.

√ (VM Archiving)  
Register

Required to add an existing virtual machine to a vCenter Server or host inventory. Required for SnapProtect backups with metadata collection enabled, and to register a restored VM with the vCenter or host.

 
Remove

Required to delete a virtual machine and remove the underlying files from disk. The user or group privilege must be set for both the object and its parent object. Required for SnapProtect backups with metadata collection enabled.

 
Unregister

Required to unregister a virtual machine from a vCenter Server or host inventory. The user or group privilege must be set for both the object and its parent object. Required for SnapProtect backups with metadata collection enabled, and to unregister a VM so that it can be registered to a different location.

 

Virtual Machine - Provisioning Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Allow disk access

Required to open a disk on a virtual machine for random read and write access. Used for remote disk mounting and restoring data.

 
Allow read-only disk access

Required to open a disk on a virtual machine for random read access; used for remote disk mounting.

 
Allow virtual machine download

Required for read operations on files associated with a virtual machine, including vmx, disks, logs, and NVRAM.

 
Clone template

Required to clone a template.

 
Clone virtual machine

Required to clone an existing virtual machine and allocate resources. Used to create a linked clone from a source VM snapshot during backup.

 
Customize

Required to customize a virtual machine’s guest operating system without moving the virtual machine.

 
Deploy template

Required to deploy a virtual machine from a template.

 
Mark as template

Required to mark an existing powered off virtual machine as a template. Used to restore a virtual machine template.

 
Mark as virtual machine

Required to mark an existing template as a virtual machine.

 
Modify customization specification

Required to create, modify, or delete customization specifications.

 
Promote disks

Required to promote operations on virtual machine disks.

 
Read customization specifications

Required to read a customization specification.

 

Virtual machine - Snapshot management Permissions ("Virtual machine - State" in vSphere 4.1)

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Create snapshot

Required to create a snapshot from a virtual machine’s current state.

 
Remove Snapshot

Required to remove a snapshot from the snapshot history.

 
Rename Snapshot

Required to change the name or description of a snapshot.

     
Revert to snapshot

Required to set a virtual machine to the state it was in for a specified snapshot.