The VMware user specified when interacting with Protector (i.e. in the context of a hypervisor proxy node or Site Recovery Manager SRA , Site Recovery Manager SRA or vRealize Orchestrator workflow) must have the following privileges assigned in vSphere:
Tip: Some privilege names have changed subtly between vSphere Client UI versions, so a little interpretation may be required. The names used here are consistent with those specified in https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf
- Datastore:
- Allocate space
- Browse datastore
- Low level file operations
- Remove file
- Rename datastore
- Update virtual machine files
- Folder:
- Create folder
- Global:
- Disable methods
- Enable methods
- Licenses
- Log event
- Manage custom attributes
- Set custom attribute
- Host:
- Configuration:
- Storage partition configuration
- Connection Permission (vSphere 7 only)
- Configuration:
- Network:
- Assign network
- Configure
- Resource:
- Assign virtual machine to resource pool
- Migrate powered off virtual machine
- Migrate powered on virtual machine
- Sessions:
- Validate session
- Virtual Machine:
- Configuration:
- Add existing disk
- Add new disk
- Add or remove device
- Advanced
- Change CPU count
- Change resource
- Disk change tracking
- Disk lease
- Extend virtual disk
- Host USB device
- Memory
- Modify device settings
- Raw device
- Reload from path
- Remove disk
- Rename
- Reset guest information
- Set annotation
- Settings
- Swapfile placement
- Upgrade virtual machine compatibility
- Guest operations:
- Guest operation modifications
- Guest operation program execution
- Guest operation queries
- Interaction:
- Answer question
- Backup operation on virtual machine
- Console interaction
- Device connection
- Guest operating system management by VIX API
- Power off
- Power on
- Inventory:
- Create from existing
- Create new
- Register
- Remove
- Unregister
- Provisioning:
- Allow disk access
- Allow read-only disk access
- Allow virtual machine download
- Allow virtual machine files upload
- Mark as template
- Mark as virtual machine
- Snapshot management:
- Create snapshot
- Remove snapshot
- Revert to snapshot
- Configuration:
- dvPort group:
- Create
- Delete
- vApp:
- Add virtual machine
- Assign resource pool
- Unregister
- vSphere Tagging:
- Assign or Unassign vSphere Tag
- Assign or Unassign vSphere Tag on Object (vSphere 7 only)
The System privileges (Anonymous, Read and View) are also required. These are automatically assigned to new and existing roles, but are not visible in the vSphere Client UI.