-
Title
Permissions for VMware 6.5/6.7 and vRanger 7.8+ -
Description
This article outlines the minimum permissions required in order to create a non-admin role in vCenter to be used by vRanger Backup & Replication. A VMware role is a predefined set of privileges, which define rights to perform specific actions or change properties. -
Resolution
vCenter provides system and sample roles by default. When connecting vRanger to VMware using a custom account, the user and the role must be defined at the vCenter level and then propagated to the children objects.
In order to remove unnecessary administrator permissions that are not required by vRanger, a new role should be created with the following permissions:
- Cryptographic operations
- Add disk
- Direct Access
- Encrypt
- Encrypt new
- Manage KMS
- Manage encryption policies
- Migrate
- Datastore
- Allocate space
- Browse datastore
- Low level file operations
- Remove file
- Global
- Licenses
- Log event
- Host
- Inventory
- Modify cluster
- Local operations
- Create virtual machine
- Reconfigure virtual machine
- Inventory
- Network
- Assign network
- Configure
- Resource
- Assign vApp to resource pool
- Assign virtual machine to resource pool
- Profile-driven storage
- Profile-driven storage view
- Storage views
- View
- vApp
- Add virtual machine
- Assign resource pool
- Create
- Delete
- Import
- Move
- Power off
- Power on
- Rename
- Virtual machine
- Change Configuration
- Acquire disk lease
- Add existing disk
- Add new disk
- Add or remove device
- Advanced configuration
- Change CPU count
- Change Memory
- Change Settings
- Change Swapfile placement
- Change resource
- Configure Host USB device
- Configure Raw device
- Configure managedBy
- Display connection settings
- Extend virtual disk
- Modify device settings
- Query Fault Tolerance compatibility
- Query unowned files
- Reload from path
- Remove disk
- Rename
- Reset guest information
- Set annotation
- Toggle disk change tracking
- Toggle fork parent
- Upgrade virtual machine compatibility
- Edit Inventory
- Create new
- Remove
- Interaction
- Configure CD media
- Configure floppy media
- Connect devices
- Console interaction
- Install VMware Tools
- Power off
- Power on
- Provisioning
- Allow disk access
- Allow read-only disk access
- Allow virtual machine download
- Allow virtual machine files upload
- Clone template
- Mark as template
- Service configuration
- Modify service configuration
- Snapshot management
- Create snapshot
- Remove snapshot
- Rename snapshot
- Revert to snapshot
- Change Configuration
There are some scenarios where it may be required to limit the account to one specific VMware datacenter. In these cases, it is required to define the user at the vCenter level without propagating to any child object. Once it has been defined at the vCenter level, it must be defined at the datacenter level and then propagated down to the child objects.
NOTE: In the cases where the vCenter account must be limited even further due to tenancy configurations, it is required to create two roles. The main role with limited permissions as defined previously in this article needs to be defined at the datacenter level propagating these permissions to the child objects. A secondary limited VMware role must be defined for the user at the vCenter level, in order to ensure we have enough permissions to query the objects. The following permissions are required for the user that will be defined at the vCenter level and it should not be propagated to the child objects:
- Cryptographic operations
- Add disk
- Direct Access
- Encrypt
- Encrypt new
- Manage KMS
- Manage encryption policies
- Migrate
- Datastore
- Allocate space
- Browse datastore
- Low level file operations
- Remove file
- Resource
- Assign vApp to resource pool
- Assign virtual machine to resource pool
- Profile-driven storage
- Profile-driven storage view
- Storage views
- View
- Cryptographic operations