VMware vCenter Server user privilege requirements
Certain VMware vCenter Server privileges are required to run Data Protection for VMware operations.
vCenter Server privileges required to protect VMware datacenters with the web-browser view for the Data Protection for VMware vSphere GUI
The vCenter Server user ID that signs on to the browser view for the Data Protection for VMware vSphere GUI
must have sufficient VMware privileges to view content for a datacenter that is managed by the GUI.For example, a VMware vSphere environment contains five datacenters. A user, "jenn", has sufficient privileges for only two of those datacenters. As a result, only those two datacenters where sufficient privileges exist are visible to "jenn" in the views. The other three datacenters (where "jenn" does not have privileges) are not visible to the user "jenn".
The VMware vCenter Server defines a set of privileges collectively as a role. A role is applied to an object for a specified user or group to create a privilege. From the VMware vSphere web client, you must create a role with a set of privileges. To create a vCenter Server role for backup and restore operations, use the VMware vSphere Client Add a Role function. You must assign this role to a user ID for a specified vCenter Server or datacenter. If you want to propagate the privileges to all datacenters within the vCenter, specify the vCenter Server and select the propagate to children check box. Otherwise, you can limit the permissions if you assign the role to the required datacenters only with the propagate to children check box selected. Enforcement for the browser GUI is at the datacenter level.
The following example shows how to control access to datacenters for two VMware user groups. First, create a role that contains all of the privileges defined in technote 7047438. The set of privileges in this example are identified by the role named "TDPVMwareManage". Group 1 requires access to manage virtual machines for the Primary1_DC and Primary2_DC datacenters. Group 2 requires access to manage virtual machines for the Secondary1_DC and Secondary2_DC datacenters.
For Group 1, assign the "TDPVMwareManage" role to the Primary1_DC and Primary2_DC datacenters. For Group 2, assign the "TDPVMwareManage" role to the Secondary1_DC and Secondary2_DC datacenters.
The users in each VMware user group can use the Data Protection for VMware GUI to manage virtual machines in their respective datacenters only.
vCenter Server privileges required to use the data mover
The IBM Spectrum Protect™ data mover that is installed on the vStorage Backup server (the data mover node) requires the VMCUser and VMCPw options. The VMCUser option specifies the user ID of the vCenter or ESX server that you want to back up, restore, or query. The required privileges that are assigned to this user ID (VMCUser) ensure that the client can run operations on the virtual machine and the VMware environment. This user ID must have the VMware privileges that are described in technote 7047438.
To create a vCenter Server role for backup and restore operations, use the VMware vSphere Client Add a Role function. You must select the propagate to children option when you add privileges for this user ID (VMCUser). In addition, consider adding other privileges to this role for tasks other than backup and restore. For the VMCUser option, enforcement is at the top-level object.
vCenter Server privileges required to protect VMware datacenters with the IBM Spectrum Protect vSphere Client plug-in view for the Data Protection for VMware vSphere GUI
The IBM Spectrum Protect vSphere Client plug-in requires a set of privileges that are separate from the privileges that are required to sign in to the GUI.
Custom privileges that are required for the IBM Spectrum Protect vSphere Client plug-in are registered as a separate extension. The privileges extension key is com.ibm.tsm.tdpvmware.IBMDataProtection.privileges.
These privileges allow the VMware administrator to enable and disable access to IBM Spectrum Protect vSphere Client plug-in content. Only users with these custom privileges on the required VMware object can access the IBM Spectrum Protect vSphere Client plug-in content. One IBM Spectrum Protect vSphere Client plug-in is registered for each vCenter Server and is shared by all GUI hosts that are configured to support the vCenter Server.
From the VMware vSphere web client, you must create a role for users who can complete data protection functions for virtual machines by using the IBM Spectrum Protect vSphere Client plug-in. For this role, in addition to the standard virtual machine administrator role privileges required by the web client, you must specify the privilege. For each datacenter, assign this role for each user or user group where you want to grant permission for the user to manage virtual machines.
The privilege is required for the user at the vCenter level. This privilege allows the user to manage, edit, or clear the connection between the vCenter Server and the Data Protection for VMware vSphere GUI web server. Assign this privilege to administrators that are familiar with the Data Protection for VMware vSphere GUI that protects their respective vCenter Server. Manage your IBM Spectrum Protect vSphere Client plug-in connections on the extension Connections page.
The following example shows how to control access to datacenters for two user groups. Group 1 requires access to manage virtual machines for the NewYork _DC and Boston_DC datacenters. Group 2 requires access to manage virtual machines for the LosAngeles_DC and SanFranciso_DC datacenters.
From the VMware vSphere client, create for example the "IBMDataProtectManage" role, assign the standard virtual machine administrator role privileges and also the privilege.
For Group 1, assign the "IBMDataProtectManage" role to the NewYork _DC and Boston_DC datacenters. For Group 2, assign the "IBMDataProtectManage" role to the LosAngeles_DC and SanFranciso_DC datacenters.
The users in each group can use the IBM Spectrum Protect vSphere Client plug-in in the vSphere web client to manage virtual machines in their respective datacenters only.
Issues related to insufficient permissions
When the web browser user does not have sufficient permissions for any datacenter, access to the view is blocked. Instead, the error message GVM2013E is issued to advise that the user is not authorized to access any managed datacenters due to insufficient permissions. Other new messages are also available that inform users of issues that result from insufficient permissions. To resolve any permissions-related issues, make sure that the user role is set up as described in the previous sections. The user role must have all privileges that are identified in the Required privileges vCenter Server user ID and data mover table, and these privileges must be applied at the datacenter level with the propagate to children check box.
When the IBM Spectrum Protect vSphere Client plug-in user does not have sufficient permissions for a datacenter, the data protection functions for that datacenter and its content are made unavailable in the extension.
ANS9365E VMware vStorage API error.
"Permission to perform this operation was denied."Backup VM command started. Total number of virtual machines to process: 1
ANS4155E Virtual Machine 'tango' could not be found on VMware server.
ANS4148E Full VM backup of Virtual Machine 'foxtrot' failed with RC 4390- In vCenter Server Settings, select Logging Options and set "vCenter Logging to Trivia (Trivia).
- Re-create the permission error.
- Reset vCenter Logging to its previous value prevent recording excessive log information.
- In System Logs, look for the most current vCenter Server log
(vpxd-wxyz.log) and search for the string
NoPermission. For
example:
This log message indicates that the user ID did not contain sufficient permissions to create a snapshot (createSnapshot).[2011-04-27 15:15:35.955 03756 verbose 'App'] [VpxVmomi] Invoke error: vim.VirtualMachine.createSnapshot session: 92324BE3-CD53-4B5A-B7F5-96C5FAB3F0EE Throw: vim.fault.NoPermission