Certain VMware vCenter Server privileges are required to run Data Protection for VMware operations.
To install the Data Protection for VMware vSphere Client plug-in, the vSphere user requires the privileges. From the VMware vSphere client, you can create a role and add to the role the extension set of associated privileges. You must then assign this role to the vCenter object in the VMware vCenter Server hierarchy for the user ID that you plan to use during the installation process. You must enter this user ID when prompted for the vCenter user name on the Plug-in Registration vCenter page during the installation.
The vCenter Server user ID that signs in to the Data Protection for VMware GUI must have sufficient VMware privileges to view content for a datacenter that is managed by the Data Protection for VMware GUI.
For example, a VMware vSphere environment contains five datacenters. A user, "jenn", has sufficient privileges for only two of those datacenters. As a result, only those two datacenters where sufficient privileges exist are visible to "jenn" in the Data Protection for VMware GUI. The other three datacenters (where "jenn" does not have privileges) are not visible to the user "jenn".
The VMware vCenter Server defines a set of privileges collectively as a role. A role is applied to an object for a specified user or group to create a privilege. From the VMware vSphere web client, you must create a role with a set of privileges. To create a vCenter Server role for backup and restore operations, use the VMware vSphere Client Add a Role function. You must assign this role to a user ID for a specified vCenter Server or datacenter. If you want to propagate the privileges to all datacenters within the vCenter, specify the vCenter Server and select the propagate to children check box. Otherwise, you can limit the permissions if you assign the role to the required datacenters only with the propagate to children check box selected. Data Protection for VMware GUI enforcement is at the datacenter level.
The following example shows how to control access to datacenters for two VMware user groups. First, create a role that contains all of the privileges defined in Table 1. The set of privileges in this example are identified by the role named "TDPVMwareRestore". Group 1 requires access to restore virtual machines for the Primary1_DC and Primary2_DC datacenters. Group 2 requires access to restore virtual machines for the Secondary1_DC and Secondary2_DC datacenters.
For Group 1, assign the "TDPVMwareRestore" role to the Primary1_DC and Primary2_DC datacenters. For Group 2, assign the "TDPVMwareRestore" role to the Secondary1_DC and Secondary2_DC datacenters.
The users in each VMware user group can use the Data Protection for VMware GUI to restore virtual machines in their respective datacenters only.
| vCenter Server objects | Associated privileges that are required |
|---|---|
| Datastore | Allocate space, Browse datastore, Configure datastore, Low-level file operations, Move datastore, Remove datastore, Rename datastore, Update virtual machine files |
| Folder | Create folder, Delete folder, Rename folder |
| Global | Licenses, Log Event, Cancel Task |
| Host configuration | Storage partition configuration, System Management, System resources |
| Network | Assign network |
| Resource | Assign virtual machine to resource pool |
| Tasks | Create Task, Update Task |
| vApp | Add virtual machine, Assign resource pool, Create |
| Virtual machine configuration | Add new disk, Add or remove device, Advanced, Change CPU count, Change resource, Disk change tracking, Disk Lease, Host USB device, Memory, Modify device setting, Raw device, Reload from path, Remove disk, Rename, Reset guest information, Settings, Swap file placement, Upgrade virtual hardware |
| Virtual machine guest operations | Guest Operation Modifications, Guest Operation Program Execution, Guest Operation Queries |
| Virtual machine interaction | Answer question, Back up operation on virtual machine, Power off, Power on, Reset, Suspend |
| Virtual machine inventory | Create new, Register, Remove, Unregister |
| Virtual machine provisioning | Allow disk access, Allow read-only disk access, Allow virtual machine download, Allow virtual machine files upload |
| Virtual machine snapshot management state | Create snapshot, Remove snapshot, Revert to snapshot |
The Tivoli Storage Manager backup-archive client that is installed on the vStorage Backup server (the data mover node) requires the VMCUser and VMCPw options. The VMCUser option specifies the user ID of the vCenter or ESX server that you want to back up, restore, or query. The required privileges that are assigned to this user ID (VMCUser) ensure that the client can run operations on the virtual machine and the VMware environment. This user ID must have the same VMware privileges as the vCenter Server user ID that signs in to the Data Protection for VMware GUI (as described in Table 1).
To create a vCenter Server role for backup and restore operations, use the VMware vSphere Client Add a Role function. You must select the propagate to children option when you add privileges for this user ID (VMCUser). In addition, consider adding other privileges to this role for tasks other than backup and restore. For the VMCUser option, enforcement is at the top-level object.
The IBM Data Protection extension is a vSphere web client extension that connects to a Data Protection for VMware GUI web server. You can use this extension to restore virtual machines in IBM storage. It provides the basic virtual machine restore function that is available in the Data Protection for VMware vSphere GUI. For example, you can restore virtual machines from Tivoli Storage Manager server storage to their original (or alternative) location. When Tivoli Storage FlashCopy Manager for VMware is available, you can restore your virtual machines from local disk storage. IBM Data Protection extension requires a set of privileges that are separate from the privileges that are required to sign in to the Data Protection for VMware vSphere GUI (web GUI).
Custom privileges that are required for the IBM Data Protection extension are registered as a separate extension. The privileges extension key is com.ibm.tsm.tdpvmware.IBMDataProtection.privileges.
These privileges allow the VMware administrator to enable and disable access to IBM Data Protection extension content. Only users with these custom privileges on the required VMware object can access the IBM Data Protection extension content. One IBM Data Protection extension is registered for each vCenter Server and is shared by all GUI hosts that are configured to support the vCenter Server.
From the VMware vSphere web client, you must create a role for users that can restore virtual machines by using the IBM Data Protection extension. For this role, in addition to the standard virtual machine administrator role privileges required by the web client, you must specify the privilege. For each datacenter, assign this role for each user or user group where you want to grant permission for the user to restore virtual machines.
The privilege is required for the user at the vCenter level. This privilege allows the user to manage, edit, or clear the connection between the vCenter Server and the web GUI host. Assign this privilege to administrators that are familiar with the Data Protection for VMware vSphere GUI (web GUI) that protects their respective vCenter Server. Manage your IBM Data Protection extension connections in the Connections page.
The following example shows how to control access to datacenters for two user groups. Group 1 requires access to restore virtual machines for the NewYork _DC and Boston_DC datacenters. Group 2 requires access to restore virtual machines for the LosAngeles_DC and SanFranciso_DC datacenters.
From the VMware vSphere client, create for example the "IBMDataProtectRestore" role, assign the standard virtual machine administrator role privileges and also the privilege.
For Group 1, assign the "IBMDataProtectRestore" role to the NewYork _DC and Boston_DC datacenters. For Group 2, assign the "IBMDataProtectRestore" role to the LosAngeles_DC and SanFranciso_DC datacenters.
The users in each group can use the IBM Data Protection extension in the vSphere web client to restore virtual machines in their respective datacenters only.
When the Data Protection for VMware GUI user does not have sufficient permissions for any datacenter, access to the Data Protection for VMware GUI is blocked. Instead, the Data Protection for VMware GUI issues error message GVM2013E to advise that the user is not authorized to access any managed datacenters due to insufficient permissions. Other new messages are also available that inform users of issues that result from insufficient permissions. To resolve any permissions-related issues, make sure that the user role is set up as described in the previous sections. The user role must have all privileges that are identified in Table 1, and these privileges must be applied at the datacenter level with the propagate to children check box.
ANS9365E VMware vStorage API error.
"Permission to perform this operation was denied."Backup VM command started. Total number of virtual machines to process: 1
ANS4155E Virtual Machine 'tango' could not be found on VMware server.
ANS4148E Full VM backup of Virtual Machine 'foxtrot' failed with RC 4390[2011-04-27 15:15:35.955 03756 verbose 'App'] [VpxVmomi] Invoke error:
vim.VirtualMachine.createSnapshot session: 92324BE3-CD53-4B5A-B7F5-96C5FAB3F0EE
Throw: vim.fault.NoPermission