Once Agent for ESX(i) is deployed to a vCenter's host or cluster, any user of the vCenter Server can connect a management console to the agent. The scope of available operations depends on the privileges a user has on the vCenter Server. Only those actions are available that the user has permission to perform. The below tables contain the privileges required for backup and recovery of ESX virtual machines and, additionally, for virtual appliance deployment.
If the agent was deployed directly to an ESX/ESXi host or manually imported to the host, and you want the vCenter users to be able to connect to the agent and the below privileges to take effect, connect the agent to the vCenter Server rather than to the ESX/ESXi host. To change the connection, access the virtual appliance GUI using the vSphere Client and specify access credentials for the vCenter Server in the ESX(i)/vCenter setting.
Privileges on vCenter Server or ESX/ESXi host
Outlined in the below table are the privileges a vCenter Server user must have to perform operations on all the vCenter hosts and clusters.
To enable a user to operate on a specific ESX host only, assign the user the same privileges on the host. In addition, the Global > Licenses privilege is required to be able to back up virtual machines of a specific ESX host.
|
Operation |
|||||
Object |
Privilege |
Back up a VM |
Back up a VM's disk |
Recover to a new VM |
Recover to an existing VM |
VA deployment |
Datastore |
Allocate space |
|
|
+ |
+ |
+ |
|
Browse datastore |
|
|
|
|
+ |
|
Low level file operations |
|
|
|
|
+ |
Global |
Licenses |
+ (required on ESX host only) |
+ (required on ESX host only) |
+ |
+ |
|
Network |
Assign network |
|
|
+ |
+ |
+ |
Resource |
Assign VM to resource pool |
|
|
+ |
+ |
+ |
Virtual machine > Configuration |
Add existing disk |
+ |
+ |
+ |
|
|
|
Add new disk |
|
|
+ |
+ |
+ |
|
Add or remove device |
|
|
+ |
|
+ |
|
Change CPU count |
|
|
+ |
|
|
|
Memory |
|
|
+ |
|
|
|
Remove disk |
+ |
+ |
+ |
+ |
|
|
Rename |
|
|
+ |
|
|
|
Settings |
|
|
|
+ |
|
Virtual machine > Interaction |
Configure CD media |
|
|
+ |
|
|
|
Console interaction |
|
|
|
|
+ |
|
Power off |
|
|
|
+ |
+ |
|
Power on |
|
|
+ |
+ |
+ |
Virtual machine > Inventory |
Create from existing |
|
|
+ |
+ |
|
|
Create new |
|
|
+ |
+ |
+ |
|
Remove |
|
|
+ |
+ |
+ |
Virtual machine > Provisioning |
Allow disk access |
|
|
+ |
+ |
|
Virtual machine > State |
Create snapshot |
+ |
+ |
|
+ |
+ |
|
Remove snapshot |
+ |
+ |
|
+ |
+ |
Privileges for a folder
To enable a user to operate within a specific vCenter folder, assign the user the following privileges on the folder.
|
Operation |
|||
Object |
Privilege |
Back up a VM |
Back up a VM's disk |
Recover to an existing VM |
Datastore |
Allocate space |
|
|
+ |
Global |
Licenses |
+ |
+ |
+ |
Network |
Assign network |
|
|
+ |
Resource |
Assign VM to resource pool |
|
|
+ |
Virtual machine > Configuration |
Add existing disk |
+ |
+ |
|
|
Add new disk |
|
|
+ |
|
Remove disk |
+ |
+ |
+ |
|
Settings |
|
|
+ |
Virtual machine > Interaction |
Power off |
|
|
+ |
|
Power on |
|
|
+ |
Virtual machine > Inventory |
Create from existing |
|
|
+ |
|
Create new |
|
|
+ |
|
Remove |
|
|
+ |
Virtual machine > Provisioning |
Allow disk access |
|
|
+ |
Virtual machine > State |
Create snapshot |
+ |
+ |
+ |
|
Remove snapshot |
+ |
+ |
+ |