VMware VDP Required Permissions

In some environments you might have to reduce the permissions given to the vSphere Data Protection (VDP) Backup User to as few as possible. The documentation provided by VMware is a little bit ambiguous on that topic. The permissions given in that post are at least required for the following purposes:

  • VDP backup user (The user that the appliances uses to talk to the vCenter Server)
  • Configure and Add Backup/Restore Jobs
  • See the vSphere Data Protection button in the vSphere Web Client

Required permissions for vSphere Data Protection

This permissions are required for the vSphere Data Protection to work. You have to set that permissions to the vCenter object. Please note that you should not give different users permissions to backup different Virtual Machines. When you edit a Backup Job which contains VMs that are not visible to you, the Virtual Machine gets removed from the backup job.

Id Name
Global.LogEvent Log event
Global.CancelTask Cancel task
Global.Settings Settings
Folder.Create Create folder
Datastore.Rename Rename datastore
Datastore.Move Move datastore
Datastore.Delete Remove datastore
Datastore.Browse Browse datastore
Datastore.DeleteFile Remove file
Datastore.FileManagement Low level file operations
Datastore.AllocateSpace Allocate space
Network.Config Configure
Network.Assign Assign network
VirtualMachine.Inventory.Create Create new
VirtualMachine.Inventory.Register Register
VirtualMachine.Inventory.Delete Remove
VirtualMachine.Inventory.Unregister Unregister
VirtualMachine.Interact.PowerOn Power On
VirtualMachine.Interact.PowerOff Power Off
VirtualMachine.Interact.Reset Reset
VirtualMachine.Config.Rename Rename
VirtualMachine.Config.AddExistingDisk Add existing disk
VirtualMachine.Config.AddNewDisk Add new disk
VirtualMachine.Config.RemoveDisk Remove disk
VirtualMachine.Config.RawDevice Raw device
VirtualMachine.Config.HostUSBDevice Host USB device
VirtualMachine.Config.CPUCount Change CPU count
VirtualMachine.Config.Memory Memory
VirtualMachine.Config.AddRemoveDevice Add or remove device
VirtualMachine.Config.EditDevice Modify device settings
VirtualMachine.Config.Settings Settings
VirtualMachine.Config.Resource Change resource
VirtualMachine.Config.UpgradeVirtualHardware Upgrade virtual machine compatibility
VirtualMachine.Config.ResetGuestInfo Reset guest information
VirtualMachine.Config.AdvancedConfig Advanced
VirtualMachine.Config.DiskLease Disk lease
VirtualMachine.Config.SwapPlacement Swapfile placement
VirtualMachine.Config.DiskExtend Extend virtual disk
VirtualMachine.Config.ChangeTracking Disk change tracking
VirtualMachine.Config.ReloadFromPath Reload from path
VirtualMachine.State.CreateSnapshot Create snapshot
VirtualMachine.State.RevertToSnapshot Revert to snapshot
VirtualMachine.State.RemoveSnapshot Remove Snapshot
VirtualMachine.Provisioning.MarkAsTemplate Mark as template
VirtualMachine.Provisioning.DiskRandomRead Allow read-only disk access
VirtualMachine.Provisioning.GetVmFiles Allow virtual machine download
Resource.AssignVMToPool Assign virtual machine to resource pool
Task.Create Create task
Task.Update Update task
Sessions.ValidateSession Validate session

Powershell Script to Create a Role

This small PowerCLI Script creates a Role named VDP-Backup with the required permissions. You have to be connected to the vCenter Server. (Check this post if you are new to PowerCLI):

New-VIRole -Name VDP-Backup -Privilege (Get-VIPrivilege -Id System.Anonymous,
System.View,
System.Read,
Global.LogEvent,
Global.CancelTask,
Global.Settings,
Folder.Create,
Datastore.Rename,
Datastore.Move,
Datastore.Delete,
Datastore.Browse,
Datastore.DeleteFile,
Datastore.FileManagement,
Datastore.AllocateSpace,
Network.Config,
Network.Assign,
VirtualMachine.Inventory.Create,
VirtualMachine.Inventory.Register,
VirtualMachine.Inventory.Delete,
VirtualMachine.Inventory.Unregister,
VirtualMachine.Interact.PowerOn,
VirtualMachine.Interact.PowerOff,
VirtualMachine.Interact.Reset,
VirtualMachine.Config.Rename,
VirtualMachine.Config.AddExistingDisk,
VirtualMachine.Config.AddNewDisk,
VirtualMachine.Config.RemoveDisk,
VirtualMachine.Config.RawDevice,
VirtualMachine.Config.HostUSBDevice,
VirtualMachine.Config.CPUCount,
VirtualMachine.Config.Memory,
VirtualMachine.Config.AddRemoveDevice,
VirtualMachine.Config.EditDevice,
VirtualMachine.Config.Settings,
VirtualMachine.Config.Resource,
VirtualMachine.Config.UpgradeVirtualHardware,
VirtualMachine.Config.ResetGuestInfo,
VirtualMachine.Config.AdvancedConfig,
VirtualMachine.Config.DiskLease,
VirtualMachine.Config.SwapPlacement,
VirtualMachine.Config.DiskExtend,
VirtualMachine.Config.ChangeTracking,
VirtualMachine.Config.ReloadFromPath,
VirtualMachine.State.CreateSnapshot,
VirtualMachine.State.RevertToSnapshot,
VirtualMachine.State.RemoveSnapshot,
VirtualMachine.Provisioning.MarkAsTemplate,
VirtualMachine.Provisioning.DiskRandomRead,
VirtualMachine.Provisioning.GetVmFiles,
Resource.AssignVMToPool,
Task.Create,
Task.Update,
Sessions.ValidateSession)
  1. thanks a lot for sharing

    something weird it did not work for me I even manually added all permissions from PDF manual and did not work...

    the VPD user logs in and VDP icon in web client never shows up

  2. Verify the settings you are permitting. The settings are slightly different for vDP 5.1 & 5.5

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>