Required vCenter Permissions for Clumio Connector VM Service Account
Purpose:
The Clumio Cloud Connector needs to be configured with a Clumio service account to allow for the inventory listing as well as backup/restore operations for VMs.
This KB defines the minimum set of privileges required by the above vCenter Clumio service account for successful Clumio Cloud Connector operations.
Requirements:
- Privileges are added to vCenter Clumio Service Account and assigned at the vCenter level
- Restricting / Whitelisting of resources at sub-vCenter level is currently not supported
Resolution:
Clumio currently supports the following vCenter versions,
| vCenter Version | ESX/ESXi Version |
| 6.7 | 6.7 Update 1 |
| 6.5 | 6.5 Update 2 |
| 6.0 | 6.0 Update 3 |
Follow these steps to configure the required user privileges
- Login to the vCenter console via vSphere Web Client.
- Navigate to Home > Administration.
- Navigate to Access Control > Roles and click the + symbol to create a new role.
- Provide a role name and assign privileges as described in the permissions matrix:
Permissions Matrix:
| Role Privileges in vCenter 6.7 | Role Privileges in vCenter 6.5 | Role Privileges in vCenter 6.0 | Required to deploy the Clumio Cloud Connector | Required for Clumio Cloud Connector to perform Backup/Restore | Description |
| Cryptographic Operations Privileges | Cryptographic Operations Privileges | NA | |||
| Add disk | Add disk | NA | ✔ | ✔ | Add a disk to an encrypted virtual machine.Required to back up and restore virtual machines using VMware VM-level encryption. |
| Direct access | Direct access | NA | ✔ | ✔ | Access encrypted resources.Required to up and restore virtual machines using VMware VM-level encryption. |
| Encrypt | Encrypt | NA | ✔ | ✔ | Encrypt a virtual machine or a virtual machine disk.Required to back up and restore virtual machines using VMware VM-level encryption. |
| Register VM | Register VM | NA | ✔ | ✔ | Register an encrypted virtual machine with an ESXi host.Required to back up and restore virtual machines using VMware VM-level encryption. |
| Datastore Privileges | Datastore Privileges | Datastore Privileges | |||
| Allocate space | Allocate space | Allocate space | ✔ | Allocate space on a datastore for a virtual machine, snapshot, clone, or virtual disk. | |
| Browse datastore | Browse datastore | Browse datastore | ✔ | Browse files on a datastore. Used to locate virtual machine files on disk and verify that files exist. | |
| Configure datastore | Configure datastore | Configure datastore | ✔ | Configure a datastore. | |
| Low level file operations | Low level file operations | Low level file operations | ✔ | Perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files. | |
| Remove file | Remove file | Remove file | ✔ | Delete files in the datastore. | |
| Update virtual machine files | Update virtual machine files | Update virtual machine files | ✔ | Update file paths to virtual machines on a datastore. | |
| Global Privileges | Global Privileges | Global Privileges | |||
| Diagnostics | Diagnostics | Diagnostics | ✔ | Retrieve a list of diagnostic files, log header, binary files, or diagnostic bundle. Security note from VMware doc (Global Privileges): To avoid potential security breaches, limit this privilege to the vCenter Server Administrator role. | |
| Disable methods | Disable methods | Disable methods | ✔ | Disable specific operations on objects managed by vCenter Server. | |
| Enable methods | Enable methods | Enable methods | ✔ | Enable specific operations on objects managed by vCenter Server. | |
| Manage custom attributes | Manage custom attributes | Manage custom attributes | ✔ | Add, remove, or rename custom field definitions. | |
| Set custom attribute | Set custom attribute | Set custom attribute | ✔ | View, create, or remove custom attributes for a managed object. | |
| vSphere Tagging Privileges | vSphere Tagging Privileges | NA | |||
| Assign or Unassign vSphere tag | Assign or Unassign vSphere tag | NA | ✔ | Assign or unassign a tag for an object in the vCenter Server inventory. | |
| Create vSphere tag | Create vSphere tag | NA | ✔ | Create a tag for a restored virtual machine. | |
| Create vSphere tag category | Create vSphere tag category | NA | ✔ | Create a tag category. | |
| Edit vSphere tag | Edit vSphere tag | NA | ✔ | Edit a tag. | |
| Edit vSphere tag category | Edit vSphere tag category | NA | ✔ | Edit a tag category. | |
| Network Privileges | Network Privileges | Network Privileges | |||
| Assign network | Assign network | Assign network | ✔ | Assign a network to a virtual machine. Used to create a virtual machine on a network. | |
| Resource Privileges | Resource Privileges | Resource Privileges | |||
| Assign vApp to resource pool | Assign vApp to resource pool | Assign vApp to resource pool | ✔ | Assign a Clumio Cloud Connector to a resource pool. | |
| Assign virtual machine to resource pool | Assign virtual machine to resource pool | Assign virtual machine to resource pool | ✔ | Assign/register a virtual machine to a resource pool during backups or when restoring to a resource pool. | |
| vApp Privileges | vApp Privileges | vApp Privileges | |||
| Create | Create | Create | ✔ | Deploy the Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. | |
| Import | Import | Import | ✔ | Import a Clumio Cloud Connector into vSphere.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. | |
| vApp application configuration | vApp application configuration | vApp application configuration | ✔ | Modify the internal structure, including the product information and properties, of a Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. | |
| vApp instance configuration | vApp instance configuration | vApp instance configuration | ✔ | Modify the instance configuration, include the policies, of a Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. | |
| Virtual Machine / Configuration Privileges | Virtual Machine / Configuration Privileges | Virtual Machine / Configuration Privileges | |||
| Acquire disk lease | Disk lease | Disk lease | ✔ | Perform disk lease operations for a virtual machine. | |
| Add existing disk | Add existing disk | Add existing disk | ✔ | Add an existing virtual disk to a virtual machine. | |
| Add new disk | Add new disk | Add new disk | ✔ | Create a new virtual disk to add to a virtual machine. | |
| Add or remove device | Add or remove device | Add or remove device | ✔ | Add or remove any non-disk device. Used to add a SCSI controller or restore a non-disk device configuration. | |
| Advanced configuration | Advanced | Advanced | ✔ | Add or modify advanced parameters in a virtual machine's configuration file. | |
| Change CPU Count | Change CPU Count | Change CPU Count | ✔ | Change the number of virtual CPUs. | |
| Change Memory | Memory | Memory | ✔ | Change the amount of memory allocated to the virtual machine. | |
| Change Settings | Settings | Settings | ✔ | Change general virtual machine settings. | |
| Change Swapfile placement | Swapfile placement | Swapfile placement | ✔ | Change the swapfile placement policy for a virtual machine. | |
| Change resource | Change resource | Change resource | ✔ | Change the resource configuration of a set of virtual machine nodes in a given resource pool. | |
| Configure Host USB device | Host USB device | Host USB device | ✔ | Attach a host-based USB device to a virtual machine. | |
| Configure Raw device | Raw device | Raw device | ✔ | Add or remove a raw disk mapping or SCSI pass-through device, overriding other privileges for modifying raw devices, including connection states. | |
| Configure managedBy | Configure managedBy | Configure managedBy | ✔ | Configure managedBy on a virtual machine. | |
| Display connection settings | Display connection settings | Display connection settings | ✔ | Configure virtual machine remote console options. | |
| Extend virtual disk | Extend virtual disk | Extend virtual disk | ✔ | Expand the size of a virtual disk. | |
| Modify device settings | Modify device settings | Modify device settings | ✔ | Change the properties of an existing device. | |
| Query Fault Tolerance compatibility | Query Fault Tolerance compatibility | Query Fault Tolerance compatibility | ✔ | Verifies if a virtual machine is compatible for fault tolerance. | |
| Query unowned files | Query unowned files | Query unowned files | ✔ | Query unowned files. | |
| Reload from path | Reload from path | Reload from path | ✔ | Change a virtual machine configuration path while preserving the identity of the virtual machine. | |
| Remove disk | Remove disk | Remove disk | ✔ | Remove a virtual disk. | |
| Rename | Rename | Rename | ✔ | Rename a virtual machine or modify the associated notes for a virtual machine. | |
| Reset guest information | Reset guest information | Reset guest information | ✔ | Edit the guest operating system information for a virtual machine. | |
| Set annotation | Set annotation | Set annotation | ✔ | Add or edit a virtual machine annotation. | |
| Toggle disk change tracking | Disk change tracking | Disk change tracking | ✔ | Enable or disable change tracking for the virtual machine's disks. | |
| Toggle fork parent | Toggle fork parent | NA | ✔ | Enable or disable a VMFork parent. | |
| Upgrade virtual machine compatibility | Upgrade virtual machine compatibility | Upgrade virtual machine compatibility | ✔ | Upgrade a virtual machine's virtual machine compatibility version (e.g., virtual hardware version). | |
| Virtual Machine / Inventory Privileges | Virtual Machine / Inventory Privileges | Virtual Machine / Inventory Privileges | |||
| Create from existing | Create from existing | Create from existing | ✔ | Create a virtual machine by cloning based on an existing virtual machine, or by deploying from a template. | |
| Create new | Create new | Create new | ✔ | Create a virtual machine and the allocation of its resources. | |
| Register | Register | Register | ✔ | Add an existing virtual machine to a vCenter Server or host inventory. | |
| Remove | Remove | Remove | ✔ | Delete a virtual machine and remove its underlying files from disk. | |
| Unregister | Unregister | Unregister | ✔ | Unregister a virtual machine from a vCenter Server or host inventory. | |
| Virtual machine / Interaction Privileges | Virtual machine / Interaction Privileges | Virtual machine / Interaction Privileges | |||
| Console interaction | Console interaction | Console interaction | ✔ | Enable interaction with the virtual machine’s virtual mouse, keyboard, and screen.Required to manually configure the Clumio Cloud Connector (CCC) virtual machine instance after deployment. | |
| Power off | Power off | Power off | ✔ | ✔ | Power off a powered-on virtual machine. Powers down the guest operating system. |
| Power on | Power on | Power on | ✔ | ✔ | Power on a powered-off virtual machine and resumes a suspended virtual machine. |
| Reset | Reset | Reset | ✔ | ✔ | Reset a virtual machine and reboot the guest operating system. |
| Suspend | Suspend | Suspend | ✔ | ✔ | Suspend a powered-on virtual machine and places the guest in standby mode. |
| Virtual Machine / Provisioning Privileges | Virtual Machine / Provisioning Privileges | Virtual Machine / Provisioning Privileges | |||
| Allow disk access | Allow disk access | Allow disk access | ✔ | Open a disk on a virtual machine for random read and write access. | |
| Allow read-only disk access | Allow read-only disk access | Allow read-only disk access | ✔ | Open a disk on a virtual machine for random read access. | |
| Allow virtual machine download | Allow virtual machine download | Allow virtual machine download | ✔ | Perform read operations on files associated with a virtual machine. Examples of associated files include vmx, disks, logs, and NVRAM. | |
| Clone template | Clone template | Clone template | ✔ | Clone a template. | |
| Clone virtual machine | Clone virtual machine | Clone virtual machine | ✔ | Clone an existing virtual machine and allocate resources. | |
| Customize | Customize | Customize | ✔ | Customize a virtual machine's guest operating system without moving the virtual machine. | |
| Modify customization specification | Modify customization specification | Modify customization specification | ✔ | Create, modify, or delete customization specifications. | |
| Promote disks | Promote disks | Promote disks | ✔ | Perform promote operations on a virtual machine's disk. | |
| Read customization specifications | Read customization specifications | Read customization specifications | ✔ | Read a customization specification. | |
| Virtual Machine / Snapshot Management Privileges | Virtual Machine / Snapshot Management Privileges | Virtual Machine / Snapshot Management Privileges | |||
| Create snapshot | Create snapshot | Create snapshot | ✔ | Create a snapshot from a virtual machine's current state. | |
| Remove snapshot | Remove snapshot | Remove snapshot | ✔ | Remove a snapshot from the snapshot history. | |
| Rename snapshot | Rename snapshot | Rename snapshot | ✔ | Change the name or description of a snapshot. | |
| Revert to snapshot | Revert to snapshot | Revert to snapshot | ✔ | Set a virtual machine to the state it was in for a given snapshot. |
Validation:
- Deploy the Clumio Cloud Connector VM using the OVF and power it on.
- Login to the Web Console of the Clumio Cloud Connector VM and provide the Clumio service account credentials.
- Upon applying changes you should get a success message if the Clumio service account has been setup properly.
Contact [email protected] in case of any clarifications or questions.
Updated 8 months ago