Required vCenter Permissions for Clumio Connector VM Service Account
Purpose:
The Clumio Cloud Connector needs to be configured with a Clumio service account to allow for the inventory listing as well as backup/restore operations for VMs.ย
This KB defines the minimum set of privileges required by the above vCenter Clumio service account for successful Clumio Cloud Connector operations.ย
Requirements:
- Privileges are added to vCenter Clumio Service Account and assigned at the vCenter level
- Restricting / Whitelisting of resources at sub-vCenter level is currently not supported
Resolution:
Clumio currently supports the following vCenter versions,ย
| vCenter Version | ESX/ESXi Version |
| 6.7 | 6.7 Update 1ย |
| 6.5 | 6.5 Update 2ย |
| 6.0 | 6.0 Update 3ย |
Follow these steps to configure the required user privilegesย
- Login to the vCenter console via vSphere Web Client.
- Navigate to Home > Administration.
- Navigate to Access Control > Roles and click the + symbol to create a new role.
- Provide a role name and assign privileges as described in the permissions matrix:
Permissions Matrix:
| Role Privileges in vCenter 6.7 | Role Privileges in vCenter 6.5 | Role Privileges in vCenter 6.0 | Required to deploy the Clumio Cloud Connector | Required for Clumio Cloud Connector to perform Backup/Restore | Description |
| Cryptographic Operations Privileges | Cryptographic Operations Privileges | NA | ย | ย | ย |
| Add disk | Add disk | NA | โ | โ | Add a disk to an encrypted virtual machine.Required to back up and restore virtual machines using VMware VM-level encryption. |
| Direct access | Direct access | NA | โ | โ | Access encrypted resources.Requiredย to up and restore virtual machines using VMware VM-level encryption. |
| Encrypt | Encrypt | NA | โ | โ | Encrypt a virtual machine or a virtual machine disk.Required to back up and restore virtual machines using VMware VM-level encryption. |
| Register VM | Register VM | NA | โ | โ | Register an encrypted virtual machine with an ESXi host.Required to back up and restore virtual machines using VMware VM-level encryption. |
| ย | ย | ย | ย | ย | ย |
| Datastoreย Privileges | Datastoreย Privileges | Datastoreย Privileges | ย | ย | ย |
| Allocate space | Allocate space | Allocate space | ย | โ | Allocate space on a datastore for a virtual machine, snapshot, clone, or virtual disk. |
| Browse datastore | Browse datastore | Browse datastore | ย | โ | Browse files on a datastore. Used to locate virtual machine files on disk and verify that files exist. |
| Configure datastore | Configure datastore | Configure datastore | ย | โ | Configure a datastore. |
| Low level file operations | Low level file operations | Low level file operations | ย | โ | Perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files. |
| Remove file | Remove file | Remove file | ย | โ | Delete files in the datastore. |
| Update virtual machine files | Update virtual machine files | Update virtual machine files | ย | โ | Update file paths to virtual machines on a datastore. |
| ย | ย | ย | ย | ย | ย |
| Globalย Privileges | Globalย Privileges | Globalย Privileges | ย | ย | ย |
| Diagnostics | Diagnostics | Diagnostics | ย | โ | Retrieve a list of diagnostic files, log header, binary files, or diagnostic bundle. Security note from VMware doc (Global Privileges):ย To avoid potential security breaches, limit this privilege to the vCenter Server Administrator role. |
| Disable methods | Disable methods | Disable methods | ย | โ | Disable specific operations on objects managed byย vCenter Server. |
| Enable methods | Enable methods | Enable methods | ย | โ | Enableย specific operations on objects managed byย vCenter Server. |
| Manage custom attributes | Manage custom attributes | Manage custom attributes | ย | โ | Add, remove, or rename custom field definitions.ย |
| Set custom attribute | Set custom attribute | Set custom attribute | ย | โ | View, create, or remove custom attributes for a managed object.ย |
| ย | ย | ย | ย | ย | ย |
| vSphere Taggingย Privileges | vSphere Taggingย Privileges | NA | ย | ย | ย |
| Assign or Unassign vSphere tag | Assign or Unassign vSphere tag | NA | ย | โ | Assign or unassign a tag for an object in the vCenter Server inventory. |
| Create vSphere tag | Create vSphere tag | NA | ย | โ | Create a tag for a restored virtual machine. |
| Create vSphere tag category | Create vSphere tag category | NA | ย | โ | Create a tag category. |
| Edit vSphere tag | Edit vSphere tag | NA | ย | โ | Edit a tag. |
| Edit vSphere tag category | Edit vSphere tag category | NA | ย | โ | Edit a tag category. |
| ย | ย | ย | ย | ย | ย |
| Networkย Privileges | Networkย Privileges | Networkย Privileges | ย | ย | ย |
| Assign network | Assign network | Assign network | ย | โ | Assign a network to a virtual machine. Used to create a virtual machine on a network. |
| ย | ย | ย | ย | ย | ย |
| Resourceย Privileges | Resourceย Privileges | Resourceย Privileges | ย | ย | ย |
| Assign vApp to resource pool | Assign vApp to resource pool | Assign vApp to resource pool | โ | ย | Assign a Clumio Cloud Connector to a resource pool. |
| Assign virtual machine to resource pool | Assign virtual machine to resource pool | Assign virtual machine to resource pool | ย | โ | Assign/register a virtual machine to a resource pool during backups or when restoring to a resource pool. |
| ย | ย | ย | ย | ย | ย |
| vAppย Privileges | vAppย Privileges | vAppย Privileges | ย | ย | ย |
| Create | Create | Create | โ | ย | Deploy the Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. |
| Import | Import | Import | โ | ย | Import a Clumio Cloud Connector into vSphere.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. |
| vApp application configuration | vApp application configuration | vApp application configuration | โ | ย | Modify the internal structure, including the product information and properties, of a Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. |
| vApp instance configuration | vApp instance configuration | vApp instance configuration | โ | ย | Modify the instance configuration, include the policies, of a Clumio Cloud Connector.Required to manually deploy the Clumio Cloud Connector (CCC) OVF from S3. |
| ย | ย | ย | ย | ย | ย |
| Virtual Machine /ย Configurationย Privileges | Virtual Machine /ย Configurationย Privileges | Virtual Machine /ย Configurationย Privileges | ย | ย | ย |
| Acquire disk lease | Disk lease | Disk lease | ย | โ | Perform disk lease operations for a virtual machine. |
| Add existing disk | Add existing disk | Add existing disk | ย | โ | Add an existing virtual disk to a virtual machine. |
| Add new disk | Add new disk | Add new disk | ย | โ | Create a new virtual disk to add to a virtual machine. |
| Add or remove device | Add or remove device | Add or remove device | ย | โ | Add or remove any non-disk device. Used to add a SCSI controller or restore a non-disk device configuration. |
| Advanced configuration | Advanced | Advanced | ย | โ | Add or modify advanced parameters in a virtual machine's configuration file. |
| Change CPU Count | Change CPU Count | Change CPU Count | ย | โ | Change the number of virtual CPUs. |
| Change Memory | Memory | Memory | ย | โ | Change the amount of memory allocated to the virtual machine. |
| Change Settings | Settings | Settings | ย | โ | Change general virtual machine settings. |
| Change Swapfile placement | Swapfile placement | Swapfile placement | ย | โ | Change the swapfile placement policy for a virtual machine. |
| Change resource | Change resource | Change resource | ย | โ | Change the resource configuration of a set of virtual machine nodes in a given resource pool. |
| Configure Host USB device | Host USB device | Host USB device | ย | โ | Attach a host-based USB device to a virtual machine. |
| Configure Raw device | Raw device | Raw device | ย | โ | Add or remove a raw disk mapping or SCSI pass-through device, overriding other privileges for modifying raw devices, including connection states. |
| Configure managedBy | Configure managedBy | Configure managedBy | ย | โ | Configure managedBy on a virtual machine. |
| Display connection settings | Display connection settings | Display connection settings | ย | โ | Configure virtual machine remote console options. |
| Extend virtual disk | Extend virtual disk | Extend virtual disk | ย | โ | Expand the size of a virtual disk. |
| Modify device settings | Modify device settings | Modify device settings | ย | โ | Change the properties of an existing device. |
| Query Fault Tolerance compatibility | Query Fault Tolerance compatibility | Query Fault Tolerance compatibility | ย | โ | Verifies if a virtual machine is compatible for fault tolerance. |
| Query unowned files | Query unowned files | Query unowned files | ย | โ | Query unowned files. |
| Reload from path | Reload from path | Reload from path | ย | โ | Change a virtual machine configuration path while preserving the identity of the virtual machine. |
| Remove disk | Remove disk | Remove disk | ย | โ | Remove a virtual disk. |
| Rename | Rename | Rename | ย | โ | Rename a virtual machine or modify the associated notes for a virtual machine. |
| Reset guest information | Reset guest information | Reset guest information | ย | โ | Edit the guest operating system information for a virtual machine. |
| Set annotation | Set annotation | Set annotation | ย | โ | Add or edit a virtual machine annotation.ย |
| Toggle disk change tracking | Disk change tracking | Disk change tracking | ย | โ | Enable or disable change tracking for the virtual machine's disks. |
| Toggle fork parent | Toggle fork parent | NA | ย | โ | Enable or disable a VMFork parent. |
| Upgrade virtual machine compatibility | Upgrade virtual machine compatibility | Upgrade virtual machine compatibility | ย | โ | Upgrade a virtual machine's virtual machine compatibility version (e.g., virtual hardware version). |
| ย | ย | ย | ย | ย | ย |
| Virtual Machineย / Inventoryย Privileges | Virtual Machineย / Inventoryย Privileges | Virtual Machineย / Inventoryย Privileges | ย | ย | ย |
| Create from existing | Create from existing | Create from existing | ย | โ | Create a virtual machine by cloning based on an existing virtual machine, or by deploying from a template. |
| Create new | Create new | Create new | ย | โ | Create a virtual machine and the allocation of its resources. |
| Register | Register | Register | ย | โ | Add an existing virtual machine to a vCenter Server or host inventory. |
| Remove | Remove | Remove | ย | โ | Delete a virtual machine and remove its underlying files from disk. |
| Unregister | Unregister | Unregister | ย | โ | Unregister a virtual machine from a vCenter Server or host inventory. |
| ย | ย | ย | ย | ย | ย |
| Virtual machine /ย Interactionย Privileges | Virtual machine /ย Interactionย Privileges | Virtual machine /ย Interactionย Privileges | ย | ย | ย |
| Console interaction | Console interaction | Console interaction | โ | ย | Enable interaction with the virtual machineโs virtual mouse, keyboard, and screen.Required to manually configure the Clumio Cloud Connector (CCC) virtual machine instance after deployment. |
| Power off | Power off | Power off | โ | โ | Power off a powered-on virtual machine. Powers down the guest operating system. |
| Power on | Power on | Power on | โ | โ | Power on a powered-off virtual machine and resumes a suspended virtual machine. |
| Reset | Reset | Reset | โ | โ | Reset a virtual machine and reboot the guest operating system. |
| Suspend | Suspend | Suspend | โ | โ | Suspend a powered-on virtual machine and places the guest in standby mode. |
| ย | ย | ย | ย | ย | ย |
| Virtual Machine /ย Provisioningย Privileges | Virtual Machine /ย Provisioningย Privileges | Virtual Machine /ย Provisioningย Privileges | ย | ย | ย |
| Allow disk access | Allow disk access | Allow disk access | ย | โ | Open a disk on a virtual machine for random read and write access.ย |
| Allow read-only disk access | Allow read-only disk access | Allow read-only disk access | ย | โ | Open a disk on a virtual machine for random read access. |
| Allow virtual machine download | Allow virtual machine download | Allow virtual machine download | ย | โ | Perform read operations on files associated with a virtual machine. Examples of associated files include vmx, disks, logs, and NVRAM. |
| Clone template | Clone template | Clone template | ย | โ | Clone a template. |
| Clone virtual machine | Clone virtual machine | Clone virtual machine | ย | โ | Clone an existing virtual machine and allocate resources. |
| Customize | Customize | Customize | ย | โ | Customize a virtual machine's guest operating system without moving the virtual machine. |
| Modify customization specification | Modify customization specification | Modify customization specification | ย | โ | Create, modify, or delete customization specifications. |
| Promote disks | Promote disks | Promote disks | ย | โ | Perform promote operations on a virtual machine's disk. |
| Read customization specifications | Read customization specifications | Read customization specifications | ย | โ | Read a customization specification. |
| ย | ย | ย | ย | ย | ย |
| Virtual Machine /ย Snapshot Managementย Privileges | Virtual Machine /ย Snapshot Managementย Privileges | Virtual Machine /ย Snapshot Managementย Privileges | ย | ย | ย |
| Create snapshot | Create snapshot | Create snapshot | ย | โ | Create a snapshot from a virtual machine's current state. |
| Remove snapshot | Remove snapshot | Remove snapshot | ย | โ | Remove a snapshot from the snapshot history. |
| Rename snapshot | Rename snapshot | Rename snapshot | ย | โ | Change the name or description of a snapshot. |
| Revert to snapshot | Revert to snapshot | Revert to snapshot | ย | โ | Set a virtual machine to the state it was in for a given snapshot. |
Validation:
- Deploy the Clumio Cloud Connector VM using the OVF and power it on.
- Login to the Web Console of the Clumio Cloud Connector VM and provide the Clumio service account credentials.
- Upon applying changes you should get a success message if the Clumio service account has been setup properly.
ย
ย
Contact [email protected] in case of any clarifications or questions.
Updated 3 months ago