Agent for VMware - necessary privileges
To perform any operations with vCenter objects, such as virtual machines, ESXi hosts, clusters, vCenter, and more, Agent for VMware authenticates on vCenter or ESXi host by using the vSphere credentials provided by a user. The vSphere account, used for connection to vSphere by Agent for VMware, must have the required privileges on all levels of vSphere infrastructure starting from the vCenter level.
Specify the vSphere account with the necessary privileges during Agent for VMware installation or configuration. If you need to change the account at a later time, refer to the "Managing virtualization environments" section.
To assign the permissions to a vSphere user on the vCenter level, do the following:
- Log in to vSphere web client.
- Right-click on vCenter and then click Add permission.
- Select or add a new user with the required role (the role must include all the required permissions from the table below).
- Select the Propagate to children option.
Object |
Privilege |
Operation | |||
---|---|---|---|---|---|
Back up a VM |
Recover to a new VM |
Recover to an existing VM |
Run VM from backup |
||
Cryptographic operations (starting with vSphere 6.5) |
Add disk |
+* |
|||
Direct Access |
+* |
||||
Datastore |
Allocate space |
+ |
+ |
+ |
|
Browse datastore |
+ |
||||
Configure datastore |
+ |
+ |
+ |
+ |
|
Low level file operations |
+ |
||||
Global |
Licenses |
+ |
+ |
+ |
+ |
Disable methods |
+ |
+ |
+ |
||
Enable methods |
+ |
+ |
+ |
||
Manage custom attributes |
+ |
+ |
+ |
||
Set custom attribute |
+ |
+ |
+ |
||
Host > Configuration |
Storage partition configuration |
+ |
|||
Host > Local operations |
Create VM |
+ |
|||
Delete VM |
+ |
||||
Reconfigure VM |
+ |
||||
Network |
Assign network |
+ |
+ |
+ |
|
Resource |
Assign VM to resource pool |
+ |
+ |
+ |
|
Virtual machine > Configuration |
Add existing disk |
+ |
+ |
+ |
|
Add new disk |
+ |
+ |
+ |
||
Add or remove device |
+ |
+ |
|||
Advanced |
+ |
+ |
+ |
||
Change CPU count |
+ |
||||
Disk change tracking |
+ |
+ |
|||
Disk lease |
+ |
+ |
|||
Memory |
+ |
||||
Remove disk |
+ |
+ |
+ |
+ |
|
Rename |
+ |
||||
Set annotation |
+ |
||||
Settings |
+ |
+ |
+ |
||
Virtual machine > Guest Operations |
Guest Operation Program Execution |
+** |
|||
Guest Operation Queries |
+** |
||||
Guest Operation Modifications |
+** |
||||
Virtual machine > Interaction |
Acquire guest control ticket (in vSphere 4.1 and 5.0) |
+ |
|||
Configure CD media |
+ |
+ |
|||
Guest operating system management by VIX API (in vSphere 5.1 and later) |
+ |
||||
Power off |
+ |
+ |
|||
Power on |
+ |
+ |
+ |
||
Virtual machine > Inventory |
Create from existing |
+ |
+ |
+ |
|
Create new |
+ |
+ |
+ |
||
Register |
+ |
||||
Remove |
+ |
+ |
+ |
||
Unregister |
+ |
||||
Virtual machine > Provisioning |
Allow disk access |
+ |
+ |
+ |
|
Allow read-only disk access |
+ |
+ |
|||
Allow virtual machine download |
+ |
+ |
+ |
+ |
|
Virtual machine > State |
Create snapshot |
+ |
+ |
+ |
|
Remove snapshot |
+ |
+ |
+ |
||
vApp |
Add virtual machine |
+ |
* This privilege is required for backing up encrypted machines only.
** This privilege is required for application-aware backups only.