In some environments you might have to reduce the permissions given to the vSphere Data Protection (VDP) Backup User to as few as possible. The documentation provided by VMware is a little bit ambiguous on that topic. The permissions given in that post are at least required for the following purposes:
- VDP backup user (The user that the appliances uses to talk to the vCenter Server)
- Configure and Add Backup/Restore Jobs
- See the vSphere Data Protection button in the vSphere Web Client
Required permissions for vSphere Data Protection
This permissions are required for the vSphere Data Protection to work. You have to set that permissions to the vCenter object. Please note that you should not give different users permissions to backup different Virtual Machines. When you edit a Backup Job which contains VMs that are not visible to you, the Virtual Machine gets removed from the backup job.
Id | Name |
Global.LogEvent | Log event |
Global.CancelTask | Cancel task |
Global.Settings | Settings |
Folder.Create | Create folder |
Datastore.Rename | Rename datastore |
Datastore.Move | Move datastore |
Datastore.Delete | Remove datastore |
Datastore.Browse | Browse datastore |
Datastore.DeleteFile | Remove file |
Datastore.FileManagement | Low level file operations |
Datastore.AllocateSpace | Allocate space |
Network.Config | Configure |
Network.Assign | Assign network |
VirtualMachine.Inventory.Create | Create new |
VirtualMachine.Inventory.Register | Register |
VirtualMachine.Inventory.Delete | Remove |
VirtualMachine.Inventory.Unregister | Unregister |
VirtualMachine.Interact.PowerOn | Power On |
VirtualMachine.Interact.PowerOff | Power Off |
VirtualMachine.Interact.Reset | Reset |
VirtualMachine.Config.Rename | Rename |
VirtualMachine.Config.AddExistingDisk | Add existing disk |
VirtualMachine.Config.AddNewDisk | Add new disk |
VirtualMachine.Config.RemoveDisk | Remove disk |
VirtualMachine.Config.RawDevice | Raw device |
VirtualMachine.Config.HostUSBDevice | Host USB device |
VirtualMachine.Config.CPUCount | Change CPU count |
VirtualMachine.Config.Memory | Memory |
VirtualMachine.Config.AddRemoveDevice | Add or remove device |
VirtualMachine.Config.EditDevice | Modify device settings |
VirtualMachine.Config.Settings | Settings |
VirtualMachine.Config.Resource | Change resource |
VirtualMachine.Config.UpgradeVirtualHardware | Upgrade virtual machine compatibility |
VirtualMachine.Config.ResetGuestInfo | Reset guest information |
VirtualMachine.Config.AdvancedConfig | Advanced |
VirtualMachine.Config.DiskLease | Disk lease |
VirtualMachine.Config.SwapPlacement | Swapfile placement |
VirtualMachine.Config.DiskExtend | Extend virtual disk |
VirtualMachine.Config.ChangeTracking | Disk change tracking |
VirtualMachine.Config.ReloadFromPath | Reload from path |
VirtualMachine.State.CreateSnapshot | Create snapshot |
VirtualMachine.State.RevertToSnapshot | Revert to snapshot |
VirtualMachine.State.RemoveSnapshot | Remove Snapshot |
VirtualMachine.Provisioning.MarkAsTemplate | Mark as template |
VirtualMachine.Provisioning.DiskRandomRead | Allow read-only disk access |
VirtualMachine.Provisioning.GetVmFiles | Allow virtual machine download |
Resource.AssignVMToPool | Assign virtual machine to resource pool |
Task.Create | Create task |
Task.Update | Update task |
Sessions.ValidateSession | Validate session |
Powershell Script to Create a Role
This small PowerCLI Script creates a Role named VDP-Backup with the required permissions. You have to be connected to the vCenter Server. (Check this post if you are new to PowerCLI):
New-VIRole -Name VDP-Backup -Privilege (Get-VIPrivilege -Id System.Anonymous, System.View, System.Read, Global.LogEvent, Global.CancelTask, Global.Settings, Folder.Create, Datastore.Rename, Datastore.Move, Datastore.Delete, Datastore.Browse, Datastore.DeleteFile, Datastore.FileManagement, Datastore.AllocateSpace, Network.Config, Network.Assign, VirtualMachine.Inventory.Create, VirtualMachine.Inventory.Register, VirtualMachine.Inventory.Delete, VirtualMachine.Inventory.Unregister, VirtualMachine.Interact.PowerOn, VirtualMachine.Interact.PowerOff, VirtualMachine.Interact.Reset, VirtualMachine.Config.Rename, VirtualMachine.Config.AddExistingDisk, VirtualMachine.Config.AddNewDisk, VirtualMachine.Config.RemoveDisk, VirtualMachine.Config.RawDevice, VirtualMachine.Config.HostUSBDevice, VirtualMachine.Config.CPUCount, VirtualMachine.Config.Memory, VirtualMachine.Config.AddRemoveDevice, VirtualMachine.Config.EditDevice, VirtualMachine.Config.Settings, VirtualMachine.Config.Resource, VirtualMachine.Config.UpgradeVirtualHardware, VirtualMachine.Config.ResetGuestInfo, VirtualMachine.Config.AdvancedConfig, VirtualMachine.Config.DiskLease, VirtualMachine.Config.SwapPlacement, VirtualMachine.Config.DiskExtend, VirtualMachine.Config.ChangeTracking, VirtualMachine.Config.ReloadFromPath, VirtualMachine.State.CreateSnapshot, VirtualMachine.State.RevertToSnapshot, VirtualMachine.State.RemoveSnapshot, VirtualMachine.Provisioning.MarkAsTemplate, VirtualMachine.Provisioning.DiskRandomRead, VirtualMachine.Provisioning.GetVmFiles, Resource.AssignVMToPool, Task.Create, Task.Update, Sessions.ValidateSession)
thanks a lot for sharing
something weird it did not work for me I even manually added all permissions from PDF manual and did not work...
the VPD user logs in and VDP icon in web client never shows up
Verify the settings you are permitting. The settings are slightly different for vDP 5.1 & 5.5