Agent for VMware - necessary privileges

To perform any operations with vCenter objects, such as virtual machines, ESXi hosts, clusters, vCenter, and more, Agent for VMware authenticates on vCenter or ESXi host by using the vSphere credentials provided by a user. The vSphere account, used for connection to vSphere by Agent for VMware, must have the required privileges on all levels of vSphere infrastructure starting from the vCenter level.

Specify the vSphere account with the necessary privileges during Agent for VMware installation or configuration. If you need to change the account at a later time, refer to the "Managing virtualization environments" section.

To assign the permissions to a vSphere user on the vCenter level, do the following:

  1. Log in to vSphere web client.
  2. Right-click on vCenter and then click Add permission.
  3. Select or add a new user with the required role (the role must include all the required permissions from the table below).
  4. Select the Propagate to children option.

Object

Privilege

Operation

Back up a VM

Recover to a new VM

Recover to an existing VM

Run VM from backup

Cryptographic operations

(starting with vSphere 6.5)

Add disk

+*

     
 

Direct Access

+*

     

Datastore

Allocate space

 

+

+

+

 

Browse datastore

     

+

 

Configure datastore

+

+

+

+

 

Low level file operations

     

+

Global

Licenses

+

+

+

+

 

Disable methods

+

+

+

 
 

Enable methods

+

+

+

 
 

Manage custom attributes

+

+

+

 
 

Set custom attribute

+

+

+

 

Host > Configuration

Storage partition configuration

     

+

Host > Local operations

Create VM

     

+

 

Delete VM

     

+

 

Reconfigure VM

     

+

Network

Assign network

 

+

+

+

Resource

Assign VM to resource pool

 

+

+

+

Virtual machine > Configuration

Add existing disk

+

+

 

+

 

Add new disk

 

+

+

+

 

Add or remove device

 

+

 

+

 

Advanced

+

+

+

 
 

Change CPU count

 

+

   
 

Disk change tracking

+

 

+

 
 

Disk lease

+

 

+

 
 

Memory

 

+

   
 

Remove disk

+

+

+

+

 

Rename

 

+

   
 

Set annotation

     

+

 

Settings

 

+

+

+

Virtual machine > Guest Operations

Guest Operation Program Execution

+**

     
 

Guest Operation Queries

+**

     
 

Guest Operation Modifications

+**

     

Virtual machine > Interaction

Acquire guest control ticket (in vSphere 4.1 and 5.0)

     

+

 

Configure CD media

 

+

+

 
 

Guest operating system management by VIX API (in vSphere 5.1 and later)

     

+

 

Power off

   

+

+

 

Power on

 

+

+

+

Virtual machine > Inventory

Create from existing

 

+

+

+

 

Create new

 

+

+

+

 

Register

     

+

 

Remove

 

+

+

+

 

Unregister

     

+

Virtual machine > Provisioning

Allow disk access

 

+

+

+

 

Allow read-only disk access

+

 

+

 
 

Allow virtual machine download

+

+

+

+

Virtual machine > State

Create snapshot

+

 

+

+

 

Remove snapshot

+

 

+

+

vApp

Add virtual machine

     

+

* This privilege is required for backing up encrypted machines only.

** This privilege is required for application-aware backups only.