The purpose of this document is to list the minimal permissions required for VMware host credentials (browse credentials) that are provided for operations in Protect.
These permissions are set within vSphere.
At the vCenter level (if used):
A role is needed with at least Global > Licenses checked at the root level (vCenter level) to be able to see the license. Otherwise one role that matches the ESX host level below at all levels.
At the ESX host level: (propagated to all sub levels)
Make sure the permissions listed are checked
- Datastore.Browse datastore
- Resource.Assign virtual machine to resource pool
- VirtualMachine.Interact.Answer question
- VirtualMachine.Interact.Console interaction
- VirtualMachine.Interact.Guest operating system management by VIX API
- VirtualMachine.Interact.Device connection
- VirtualMachine.Interact.Power On
- VirtualMachine.Interact.Power Off
- VirtualMachine.GuestOperations.Guest Operation Queries
- VirtualMachine.GuestOperations.Guest Operation Modifications
- VirtualMachine.GuestOperations.Guest Operation Program Execution
- VirtualMachine.State.Create snapshot
- VirtualMachine.State.Remove Snapshot
- VirtualMachine.Provisioning.Allow disk access
- VirtualMachine.Provisioning.Mark as template
- VirtualMachine.Provisioning.Mark as virtual machine
Some additional information worth noting:
- Protect needs to connect to the vCenter server to be able to patch VM templates.
- VMware tools must be installed on VMs and VM templates.
- It is required to provide a local administrator account for the target system set in the machine group (to deploy to offline VMs).
Shavlik Protect 9.x