Problem
Problems backing up and restoring VMware virtual machine via vCenter or ESX. The account used by NetBackup to interface with VMware's vCenter may not have sufficient privileges in the role with the necessary to rights to perform the operations.
Solution
VERITAS recommends cloning the administrator role, and using that for Backup and Restore operations. This role is guaranteed to have all the necessary privileges to perform the operation in all environments.
The following privileges can be allocated to a role and assigned to the NetBackup user to perform vADP backups and restores. These are the minimum required permissions that have been found to be sufficient in the tests performed by VERITAS for a basic vSphere environment. The permissions are best propagated downwards from the root of the vSphere level. Additional privileges might be required if advanced features are in use. The content of this document is subject to change. The account configured in the NetBackup Administration Console -> Media and Device Management -> Credentials -> NetBackup Virtual Machine Server should be assigned to a role configured as follows at the vSphere level, with the 'Propagate to Child Objects' checkbox checked.
Tested with vSphere 8.0, 7.0, 6.7, 6.5, 6.0, vSphere 5.5, and vSphere 5.0.
All patches or updates are supported unless otherwise stated.
Cryptographics Operations
Direct Access
Encrypt New
Migrate
Datastore
Allocate space
Browse datastore
Configure datastore
Low level file operations
Update virtual machine files
Update virtual machine metadata
Global
Cancel task
Disable methods
Enable methods
Global tag
Log event
Set custom attribute
Host
Configuration
Advanced settings
Storage partition configuration
Network
Assign network
Resource
Assign vApp to resouce pool
Assign virtual machine to resource pool
Tasks
Create task
Update task
Extension
Register
vApp
Add virtual machine
Assign resource pool
Create
Move
Power off
Power on
Virtual Machine
Change Configuration
Acquire Disk Lease
Add existing disk
Add new disk
Advanced
Add or remove device
Change Settings
Change Swapfile placement
Change resource
Configure Raw device
Modify device settings
Remove disk
Set annotation
Toggle Disk Change Tracking
Edit Inventory
Create from existing
Create New
Register
Remove
Unregister
Interaction
Power Off
Power On
Provisioning
Allow disk access
All read-only disk access
Allow virtual machine download
Snapshot management
Create snapshot
Remove Snapshot
Revert to snapshot
vSphere Tagging
Assign or Unassign vSphere Tag
When using the NetBackup Plugin for vCenter the following privileges can be added:
NetBackup Recovery
Add or Remove NetBackup Servers
Virtual Machine Recovery
For vSphere 5.5 the Inventory Service name differs:
vCenter Inventory Service
vCenter Inventory Service Tagging
Assign or Unassign Inventory Service Tag
If you are using VMware Agentless recovery feature in 8.2.x or higher, then verify the following credentials are added:
Virtual Machine
Guest Operations
Guest operation queries
Guest operation modifications
Guest operation program execution
Virtual Machine
Change Configuration
Remove disk
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.