Configure User Accounts

Table of Contents

The Virtual Server Agent requires user accounts that have sufficient permissions for the software to:

  • Access the vCenter and ESX servers.
  • Access virtual machines.
  • Access volumes, files, and folders within virtual machines.
  • Perform discovery, backup, and restore operations.

When you configure the VMware vCenter client, you must provide the user account credentials for the vCenter. Later, you can change the user account at the instance level.

The vCenter user account must have permissions on the vCenter, datacenter, ESX server, and virtual machine levels for any virtual machines to be backed up and restored. The backup for a virtual machine fails if the user does not have permission on the vCenter, datacenter, and ESX server where the virtual machine resides.

You can restrict a user account to a specific entity as described in Add a Custom User with Limited Scope; but the user must also have permissions for all parent objects of the entity. For example, if you define a user account with permissions on an ESX server, you must also give that user permissions on the vCenter and datacenter. If you select the option to propagate permissions to all child objects, the user can back up all virtual machines on the ESX server.

Change Virtual Center Credentials

Perform the following steps to change user account credentials for vCenter clients:

  1. Navigate to Client Computers > virtualization_client > Virtual Server.
  2. Right-click VMware and select Properties.
  3. In the VMware area, click Change.
  4. Type the username and password.

    Ensure that the password does not have single-quote (') or double-quote (") characters.

  5. Click OK.

Permissions for Custom User Accounts

You can create a separate user account in vSphere for backup and restore operations. When you create a user account, the following system permissions are automatically added to the account:

Category Permission
System Anonymous

Read

View

If you are creating a user account other than administrator, permissions can be assigned to the role associated with the user account. The following table shows which vCenter permissions are required (√) for each SnapProtect role or component.

  • To enable restores, assign both backup and restore permissions for the type of restore (from streaming or SnapProtect backups).
  • By default this list shows settings for vSphere 5.x; but differences for vSphere 4.1 are noted. Settings that are not available in vSphere 4.1 may be needed for features that require vSphere 5.0 or greater.
  • When using VM File Recovery Plug-In, VM Provisioning, or Live Mount, assign any required permissions for backups or restores as well as permissions for using that feature.
  • Live Recovery operations using a File Recovery Enabler for Linux require the same permissions as SnapProtect operations.

Assign permissions for the following categories:

Disclaimer: The guidance here is derived from information published in vSphere Security: ESXi 6.0 and vCenter Server 6.0. For detailed and current information about vSphere privileges and permissions, refer to the appropriate VMware documentation. Commvault is not responsible for, and does not validate or confirm, the correctness or accuracy of any information provided here. All content in this section is provided "AS IS" and is not warranted by Commvault in any way.

Datastore Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Allocate space

Required to allocate space for a virtual machine, snapshot, clone, or virtual disk.

 
Browse datastore

Required to browse files on a datastore. Used to locate VM files on disk and verify that files exist.

 
Configure datastore

Required to configure a datastore.

 
Low level file operations

Required to perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files.

 
Remove datastore

(deprecated) Required to remove a datastore. The user or group privilege must be set for both the object and its parent object.

 
Rename datastore

Required to change the name of a datastore.

 
Remove file

(deprecated; use Low level file operations) Required to delete files in the datastore.

 
Update virtual machine files

Required to update virtual machine file paths on a datastore after a datastore resignature operation.

 

Extension Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Register extension

Required to register a plug-in.

 
Unregister extension

Required to unregister a plug-in.

 
Update extension

Required to update a plug-in.

 

Global Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Cancel task

Required to cancel a running or queued task; used to cancel a relocation task if a restore job is killed.

 
Diagnostics

Required to get lists of diagnostic files, log headers, binary files, or diagnostic bundles. For security, limit this privilege to the vCenter Server Administrator role.

 
Disable methods

Required to disable specific operations on vCenter entities.

 
Enable methods

Required to enable specific operations on vCenter entities.

 
Licenses

Required to view installed licenses and to add or remove licenses.

 
Log event

Required to enable logging of user-defined events against a managed entity.

 
Manage custom attributes

Required to add, remove, or rename custom field definitions. Used with the EnableUUID attribute to enable application-consistent quiescing.

 
Set custom attribute 

Required to view, create, or remove custom attributes for a managed entity. Used with the EnableUUID attribute to enable or disable application-consistent quiescing.

 

Host - Configuration Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Advanced settings

Required to set advanced options for host configurations. For live file recovery, Commvault software increases the NFS heartbeat timeout and the Max failures setting for additional resilience when mounting the datastore on the ESX server.

 
Connection

Required to change the connection status of a host (connected or disconnected). Used to confirm whether the ESX host is connected within the vCenter inventory.

 
Storage partition configuration 

Required for management of VMFS datastores and diagnostic partitions. This privilege enables users to scan for new storage devices and manage iSCSI. Used to rescan and check for new VMFS partitions and HBAs, and to refresh the datastore list when mounting a datastore to the ESX server during SnapProtect operations.

 
System Management

Required to manipulate files on the host. Used to enable CBT in the VMX file and to make changes to the VMX file during restores.

 

Network Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Assign network

Required to assign a network to a virtual machine. Used to create a virtual machine on a network.

     

Resource Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Assign vApp to resource pool 

Required to assign a vApp to a resource pool during restores.

   
Assign virtual machine to resource pool

Required to assign a virtual machine to a resource pool. Required when registering a virtual machine to a resource pool during backups or when restoring to a resource pool.

√ (VM Archiving)  
Migrate powered on virtual machine

Required to use vMotion to migrate a powered on virtual machine to a different resource pool or host.

   
Migrate powered off virtual machine ("Migrate" in vSphere 4.1) 

Required to use vMotion to migrate a powered off virtual machine to a different resource pool or host.

 

vApp Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Import

Required to import a vApp into vSphere.

 
vApp application configuration

Required to modify vApp application properties; used when reconfiguring an existing File Recovery Enabler for Linux.

             
vApp instance configuration

Required to modify a vApp instance; used when reconfiguring an existing File Recovery Enabler for Linux.

             

Virtual machine - Configuration Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Add existing disk

Required to add an existing virtual disk to a virtual machine.

 
Add new disk

Required to create a new virtual disk to add to a virtual machine.

 
Add or remove device

Required to add or remove any non-disk device. Used to add a SCSI controller or to restore non-disk device configuration.

 
Advanced

Required to add or modify advanced parameters in a virtual machine configuration file.

 
Change CPU count

Required to change the number of virtual CPUs during restores.

 
Change resource

Required to change the resource configuration of a set of virtual machine nodes in a given resource pool.

 
Disk change tracking 

Required to enable or disable change tracking for virtual machine disks.

 
Disk lease

Required to perform disk lease operations for a virtual machine.

 
Display connection settings (not in vSphere 4.1)

Required to configure virtual machine remote console options.

 
Extend virtual disk

Required to expand the size of a virtual disk.

 
Host USB device

Required to attach a host-based USB device to a virtual machine.

 
Memory

Required to change the amount of memory allocated to a virtual machine.

 
Modify device settings

Required to change the properties of an existing device.

 
Raw device

Required to add or remove a raw disk mapping or SCSI pass through device (overrides other privileges for modifying raw devices, including connection states).

 
Reload from path

Required to change a virtual machine configuration path while preserving the identity of the virtual machine; used during failover and failback operations.

 
Remove disk

Required to remove a virtual disk.

 
Rename

Required to rename a virtual machine or modify notes for a virtual machine.

 
Reset guest information

Required to edit the guest operating system information for a virtual machine.

 
Set annotation (not in vSphere 4.1)

Required to add or edit a virtual machine annotation. Used to set up a backup server annotation that records last backup times for target VMs in vSphere.

 
Settings

Required to change general virtual machine settings.

 
Swapfile placement

Required to change the swapfile placement policy for a virtual machine.

 
Unlock virtual machine

Required to decrypt a virtual machine.

 
Upgrade virtual machine compatibility ("Upgrade virtual hardware" in vSphere 4.1)

Required to upgrade a virtual machine’s compatibility version (virtual hardware version).

 

Virtual Machine - Guest Operations Permissions (Not in vSphere 4.1)

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Guest Operation Modifications

Required to perform virtual machine guest operations that modify the guest operating system, such as transferring a file to the virtual machine or restoring files to a target VM that does not have a file system agent installed.

 
Guest Operation Program Execution

Required to perform virtual machine guest operations that execute a program in the virtual machine, such as a restore command.

 
Guest Operation Queries

Required to perform virtual machine guest operations that query the guest operating system, such as listing files in the guest operating system. Used when the target VM does not have a file system agent installed.

 

Virtual Machine - Interaction Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Device connection

Required to change the connected state of virtual machine devices that can be disconnected.

         
Power Off

Required to power off the guest operating system of a powered on virtual machine. Used when restoring data to VMDKs.

√ (VM Archiving)  
Power On

Required to power on a powered off virtual machine or resume a suspended virtual machine.

 
Reset

Required to reset a virtual machine and reboot the guest operating system.

 
Suspend

Required to suspend a powered on virtual machine and put the guest in standby mode.

 

Virtual Machine - Inventory Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Create new

Required to create and allocate resources for a virtual machine.

 
Create from existing

Required to create a virtual machine, by cloning an existing virtual machine or by deploying from a template.

 
Move

Required to relocate a virtual machine in the hierarchy. The privilege must be set for both the source and the destination.

√ (VM Archiving)  
Register

Required to add an existing virtual machine to a vCenter Server or host inventory. Required for SnapProtect backups with metadata collection enabled, and to register a restored VM with the vCenter or host.

 
Remove

Required to delete a virtual machine and remove the underlying files from disk. The user or group privilege must be set for both the object and its parent object. Required for SnapProtect backups with metadata collection enabled.

 
Unregister

Required to unregister a virtual machine from a vCenter Server or host inventory. The user or group privilege must be set for both the object and its parent object. Required for SnapProtect backups with metadata collection enabled, and to unregister a VM so that it can be registered to a different location.

 

Virtual Machine - Provisioning Permissions

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Allow disk access

Required to open a disk on a virtual machine for random read and write access. Used for remote disk mounting and restoring data.

 
Allow read-only disk access

Required to open a disk on a virtual machine for random read access; used for remote disk mounting.

 
Allow virtual machine download

Required for read operations on files associated with a virtual machine, including vmx, disks, logs, and NVRAM.

 
Clone template

Required to clone a template.

 
Clone virtual machine

Required to clone an existing virtual machine and allocate resources. Used to create a linked clone from a source VM snapshot during backup.

 
Customize

Required to customize a virtual machine’s guest operating system without moving the virtual machine.

 
Deploy template

Required to deploy a virtual machine from a template.

 
Mark as template

Required to mark an existing powered off virtual machine as a template. Used to restore a virtual machine template.

 
Mark as virtual machine

Required to mark an existing template as a virtual machine.

 
Modify customization specification

Required to create, modify, or delete customization specifications.

 
Promote disks

Required to promote operations on virtual machine disks.

 
Read customization specifications

Required to read a customization specification.

 

Virtual machine - Snapshot management Permissions ("Virtual machine - State" in vSphere 4.1)

Permissions Streaming SnapProtect and Live Recovery Streaming and SnapProtect VM Lifecycle Management Provisioning Live Mount
Backups and VM Archiving Restores and Live Sync Backups Restores Deploy File Recovery Enabler for Linux VM File Recovery Plug-In
Create snapshot

Required to create a snapshot from a virtual machine’s current state.

 
Remove Snapshot

Required to remove a snapshot from the snapshot history.

 
Rename Snapshot

Required to change the name or description of a snapshot.

     
Revert to snapshot

Required to set a virtual machine to the state it was in for a specified snapshot.

 

Add a Custom User with Limited Scope

You can enable users, customers, or tenants to use a shared vCenter while ensuring that each user can only view and manage their own virtual machines. For this solution, each user uses a unique vCenter client instance, providing user credentials that are associated with a specific vCenter user with limited scope.

The vCenter user account must have permissions on the vCenter, datacenter, ESX server, and virtual machine levels for any virtual machines to be backed up and restored. The backup for a virtual machine fails if the user does not have permission on the vCenter, datacenter, and ESX server where the virtual machine resides.

To ensure that backups and restores are successful, use the vSphere Client or WebClient to assign user permissions on each required entity.

To add a user with permissions to back up and restore virtual machines in a specific entity, such as a datastore, ESX host, resource pool, or specific virtual machine, perform the following steps:

  1. On the vCenter server, add a local user:
    • Use Remote Desktop to log in to the vCenter server and start Server Manager.
    • Navigate to Configuration > Local Users and Groups > Users.
    • Right-click Users and then select New User.

    • Enter the user name and password, then re-renter the password.
    • Click Create.
  2. In the vSphere Client, add a role:
    • Go to Home > Administration > Roles, and then click the menu options Administration > Role > Add.
    • Enter the name of the role (for example, cvAdmin).
    • Select backup, restore, and VM File Recovery Plug-In privileges as described in Permissions for Custom User Accounts.

    • Click OK.
  3. In the vSphere Client, add permissions for a user and role at the appropriate level.
    • Select the entity for which you are adding permissions (for example, a datacenter, host, resource pool, or virtual machine).
    • Click the Permissions tab.
    • Right-click in the tab and select Add Permission.
    • Under Users and Groups, click Add, select the local VSA user on the Select Users and Groups dialog, click Add, and then click OK.
    • Under Assigned Role, select the role from the drop-down list.

    • Click OK.

  4. If necessary, create a new virtualization client for the vCenter:
    1. From the CommCell Browser, navigate to Client Computers.
    2. Right-click Client Computers and then select New Client > Virtualization > VMware vCenter.
    3. Enter a descriptive name for the virtualization client in the vCenter Host Name box.
    4. Enter the username and password of the custom vCenter user.
    5. Click Add to select a proxy for backup. On the resulting dialog, select one or more proxies from the Exclude list, click Include or Include All, and then click OK to save the proxy selections.
    6. Click OK to create the virtualization client.
  5. Enter the correct vCenter host name for the Virtual Server instance:
    1. From the CommCell Browser, navigate to Client Computers > virtualization_client > Virtual Server.
    2. Right-click the VMware virtual server instance and select Properties.
    3. Under VMware, enter the actual vCenter host name in the vCenter host name box.

      If necessary, you can also click Change to modify user account information.

    4. Click OK to save instance properties.