Skip to content

VMware VDP Required Permissions

In some environments you might have to reduce the permissions given to the vSphere Data Protection (VDP) Backup User to as few as possible. The documentation provided by VMware is a little bit ambiguous on that topic. The permissions given in that post are at least required for the following purposes:

  • VDP backup user (The user that the appliances uses to talk to the vCenter Server)
  • Configure and Add Backup/Restore Jobs
  • See the vSphere Data Protection button in the vSphere Web Client

Required permissions for vSphere Data Protection

This permissions are required for the vSphere Data Protection to work. You have to set that permissions to the vCenter object. Please note that you should not give different users permissions to backup different Virtual Machines. When you edit a Backup Job which contains VMs that are not visible to you, the Virtual Machine gets removed from the backup job.

IdName
Global.LogEventLog event
Global.CancelTaskCancel task
Global.SettingsSettings
Folder.CreateCreate folder
Datastore.RenameRename datastore
Datastore.MoveMove datastore
Datastore.DeleteRemove datastore
Datastore.BrowseBrowse datastore
Datastore.DeleteFileRemove file
Datastore.FileManagementLow level file operations
Datastore.AllocateSpaceAllocate space
Network.ConfigConfigure
Network.AssignAssign network
VirtualMachine.Inventory.CreateCreate new
VirtualMachine.Inventory.RegisterRegister
VirtualMachine.Inventory.DeleteRemove
VirtualMachine.Inventory.UnregisterUnregister
VirtualMachine.Interact.PowerOnPower On
VirtualMachine.Interact.PowerOffPower Off
VirtualMachine.Interact.ResetReset
VirtualMachine.Config.RenameRename
VirtualMachine.Config.AddExistingDiskAdd existing disk
VirtualMachine.Config.AddNewDiskAdd new disk
VirtualMachine.Config.RemoveDiskRemove disk
VirtualMachine.Config.RawDeviceRaw device
VirtualMachine.Config.HostUSBDeviceHost USB device
VirtualMachine.Config.CPUCountChange CPU count
VirtualMachine.Config.MemoryMemory
VirtualMachine.Config.AddRemoveDeviceAdd or remove device
VirtualMachine.Config.EditDeviceModify device settings
VirtualMachine.Config.SettingsSettings
VirtualMachine.Config.ResourceChange resource
VirtualMachine.Config.UpgradeVirtualHardwareUpgrade virtual machine compatibility
VirtualMachine.Config.ResetGuestInfoReset guest information
VirtualMachine.Config.AdvancedConfigAdvanced
VirtualMachine.Config.DiskLeaseDisk lease
VirtualMachine.Config.SwapPlacementSwapfile placement
VirtualMachine.Config.DiskExtendExtend virtual disk
VirtualMachine.Config.ChangeTrackingDisk change tracking
VirtualMachine.Config.ReloadFromPathReload from path
VirtualMachine.State.CreateSnapshotCreate snapshot
VirtualMachine.State.RevertToSnapshotRevert to snapshot
VirtualMachine.State.RemoveSnapshotRemove Snapshot
VirtualMachine.Provisioning.MarkAsTemplateMark as template
VirtualMachine.Provisioning.DiskRandomReadAllow read-only disk access
VirtualMachine.Provisioning.GetVmFilesAllow virtual machine download
Resource.AssignVMToPoolAssign virtual machine to resource pool
Task.CreateCreate task
Task.UpdateUpdate task
Sessions.ValidateSessionValidate session

Powershell Script to Create a Role

This small PowerCLI Script creates a Role named VDP-Backup with the required permissions. You have to be connected to the vCenter Server. (Check this post if you are new to PowerCLI):

New-VIRole -Name VDP-Backup -Privilege (Get-VIPrivilege -Id System.Anonymous,
System.View,
System.Read,
Global.LogEvent,
Global.CancelTask,
Global.Settings,
Folder.Create,
Datastore.Rename,
Datastore.Move,
Datastore.Delete,
Datastore.Browse,
Datastore.DeleteFile,
Datastore.FileManagement,
Datastore.AllocateSpace,
Network.Config,
Network.Assign,
VirtualMachine.Inventory.Create,
VirtualMachine.Inventory.Register,
VirtualMachine.Inventory.Delete,
VirtualMachine.Inventory.Unregister,
VirtualMachine.Interact.PowerOn,
VirtualMachine.Interact.PowerOff,
VirtualMachine.Interact.Reset,
VirtualMachine.Config.Rename,
VirtualMachine.Config.AddExistingDisk,
VirtualMachine.Config.AddNewDisk,
VirtualMachine.Config.RemoveDisk,
VirtualMachine.Config.RawDevice,
VirtualMachine.Config.HostUSBDevice,
VirtualMachine.Config.CPUCount,
VirtualMachine.Config.Memory,
VirtualMachine.Config.AddRemoveDevice,
VirtualMachine.Config.EditDevice,
VirtualMachine.Config.Settings,
VirtualMachine.Config.Resource,
VirtualMachine.Config.UpgradeVirtualHardware,
VirtualMachine.Config.ResetGuestInfo,
VirtualMachine.Config.AdvancedConfig,
VirtualMachine.Config.DiskLease,
VirtualMachine.Config.SwapPlacement,
VirtualMachine.Config.DiskExtend,
VirtualMachine.Config.ChangeTracking,
VirtualMachine.Config.ReloadFromPath,
VirtualMachine.State.CreateSnapshot,
VirtualMachine.State.RevertToSnapshot,
VirtualMachine.State.RemoveSnapshot,
VirtualMachine.Provisioning.MarkAsTemplate,
VirtualMachine.Provisioning.DiskRandomRead,
VirtualMachine.Provisioning.GetVmFiles,
Resource.AssignVMToPool,
Task.Create,
Task.Update,
Sessions.ValidateSession)

2 thoughts on “VMware VDP Required Permissions”

  1. thanks a lot for sharing

    something weird it did not work for me I even manually added all permissions from PDF manual and did not work...

    the VPD user logs in and VDP icon in web client never shows up

Leave a Reply

Your email address will not be published. Required fields are marked *