This article describes the vCenter Server permissions needed to perform backup and recovery operations with the TSM for Virtual Environments - Data Protection for VMware Version 6.x product (6.2, 6.3, 6.4)
In order to use Tivoli Storage Manager (TSM) for Virtual Environments - Data Protection for VMware to backup and recover virtual machines, the TSM user must authenticate to the VMware vCenter Server with a user id which has sufficient privileges to perform these operations (specifically, the user id identified in the Vmcuser option in the TSM Backup-Archive client options file). While users may chose to use the Administrator account (which has "All Privileges" authority in the VMware vCenter Server), this document provides the minimum set of privileges needed for backup and recovery operations.
In the VMware vCenter Server, a set of privileges is collectively defined as a role; a role can be applied to an object for a specified user or group in order to create a permission.
The specified "user" refers to a Windows user defined on the VMware vCenter Server or in the Active Directory. It is recommended to use Active Directory users when possible to provide central management of users. Note that the user definitions do not need to have any special rights in the context of the Windows VMware vCenter Server or Active Directory; you can create a new user (e.g., "TSMuser") for the purpose of backup and recovery and use the VMware vCenter roles to assign the user the appropriate privileges.
Note that this article assumes that these roles will be created on the vCenter Server and not individual ESX or ESXi host machines.
This article pertains to VMware vCenter Server 4.x and 5.x and not to previous versions such as vCenter Server 2.5 and prior.
vCenter Server Role for Backup and Recovery Operations
To create a vCenter Server role for backup and recovery operations, Add a Role (e.g., named "TSM DP for VMware") using the vSphere Client add adding following privileges:
- Datastore -> Allocate space, Browse datastore, Low level file operations
- Global -> Licenses
- Network -> Assign network
- Resource -> Assign virtual machine to resource pool
- vApp -> Add virtual machine, Assign resource pool, Create
- Virtual machine -> Configuration -> Add existing disk, Add new disk, Add or Remove device, Advanced, Change CPU count, Change resource, Disk change tracking, Disk Lease, Host USB device, Memory, Modify device setting, Raw device, Reload from path2, Remove disk, Rename, Reset guest information, Settings, Swapfile placement, Upgrade virtual hardware
- Virtual machine -> Guest Operations1 -> Guest Operation Modifications, Guest Operation Program Execution, Guest Operation Queries (vSphere 5.0/5.1)
- Virtual machine -> Inventory -> Create new, Register, Remove, Unregister
- Virtual machine -> Provisioning -> Allow disk access, Allow read-only disk access, Allow virtual machine download
- Virtual machine -> State -> Create snapshot, Remove snapshot, Revert to snapshot (vSphere 4) or
Virtual machine -> Snapshot management -> State -> Create snapshot, Remove snapshot, Revert to snapshot (vSphere 5.0/5.1)
Because the recovery operation requires privileges for operations on hosts, networks, and datastores, this new role must be applied to the Datacenter object or higher in the VMware vCenter Server hierarchy for the user specified in the Vmcuser option. Ensure that the checkbox "Propagate to Child Object" is selected when adding the permission.
Note: for Tivoli Storage Manager for Virtual Environments - Data Protection for VMware V6.4.1 and higher, this new role must be applied to the vCenter Server. Failure to apply this new role to the vCenter Server could result in the following error during backup or recovery:
Not licensed to use this function. Error 16064 at 2357
Please refer to VMware Knowledge Base 2063054 for more information on this requirement.
Note that you should consider adding other privileges to this role that might be needed for the user to perform other tasks not related to backup and recovery.
1 The "Guest Operations" permissions only need to be used if you are using the Data Protection for VMware feature to protect Microsoft Exchange Server or Microsoft SQL Server applications that run inside virtual machine guests; this feature was introduced with Data Protection for VMware Version 6.4. This feature is only available for vSphere 5.
2 This permission is only available in VMware vCenter Server 4.1; if you are using vCenter Server 4.0 you can ignore this permission setting.
vCenter Server Role for Installation
To install the Tivoli Storage Manager for Virtual Environments - Data Protection for VMware vSphere Client plug-in, the vSphere user requires the following privileges:
- Extension -> Register extension, Unregister extension, Update extension
This new role must be applied to the vCenter object in the VMware vCenter Server hierarchy for the user specified during the installation process.
Note on Instant Recovery and Individual File Recovery Using Mount
Data Protection for VMware instant recovery and individual file recovery operations using mount do not require any vCenter Server privileges as these operations are either accomplished within the virtual machine guest or on a physical TSM vStorage Server machine outside of the VMware infrastructure.
Note on Permissions for the TSM Windows vStorage Server
The TSM Windows vStorage Server is the physical machine or virtual machine dedicated to scheduled backup operations and full virtual machine recovery using the TSM Backup-Archive client and also can be used in conjunction with the Data Protection for VMware Recovery Agent (mount). It is assumed that the user of the Backup-Archive client and the DP for VMware Recovery Agent will have Administrator rights to the Windows machine acting as the vStorage Server.
What Types of Errors to Expect if the User Doesn't Have Sufficient Privileges
If the user specified in the Vmcuser option doesn't have sufficient privileges to perform a backup or recovery operation, you will typically see the messages:
ANS9365E VMware vStorage API error.
"Permission to perform this operation was denied."
If the user specified in the Vmcuser option doesn't have sufficient privileges to view a virtual machine, you will typically see the messages:
Backup VM command started. Total number of virtual machines to process: 1
ANS4155E Virtual Machine 'dumbo' could not be found on VMware server.
ANS4148E Full VM backup of Virtual Machine 'sniper' failed with RC 4390
It is possible to obtain log information about some types of permission problems through the VMware Virtual Center Server.
- In "vCenter Server Settings", select "Logging Options" and set "vCenter Logging" to "Trivia (Trivia)"
- Recreate the permission error
- Reset the "vCenter Logging" to its previous value in order to avoid large amounts of log information being recorded
- In "System Logs" look for the most current vCenter server log (vpxd-xxxx.log) and search for the string "NoPermission", e.g.:
[2011-04-27 15:15:35.955 03756 verbose 'App'] [VpxVmomi] Invoke error: vim.VirtualMachine.createSnapshot session: 92324BE3-CD53-4B5A-B7F5-96C5FAB3F0EE Throw: vim.fault.NoPermission
Note that this log message indicates that the user did not have proper permission to create a snapshot (createSnapshot).