Required vCenter Permissions for Clumio Connector VM Service Account
Purpose:
The Clumio Cloud Connector needs to be configured with a Clumio service account to allow for the inventory listing as well as backup/restore operations for VMs.
This KB defines the minimum set of privileges required by the above vCenter Clumio service account for successful Clumio Cloud Connector operations.
Requirements:
- Privileges are added to vCenter Clumio Service Account and assigned at the vCenter level
- Restricting / Whitelisting of resources at sub-vCenter level is currently not supported
Resolution:
Clumio currently supports the below vCenter versions,
| vCenter Version | ESX/ESXi Version |
| 6.7 | 6.7 Update 1 |
| 6.5 | 6.5 Update 2 |
| 6.0 | 6.0 Update 3 |
Please follow the steps below to configure the required user privileges
- Login to the vCenter console via vSphere Web Client.
- Go under Home > Administration
- Go under Access Control > Roles and click the + symbol to create a new Role.
- Provide a Role Name and assign the Privileges as mentioned in the below permissions matrix
Permissions Matrix:
|
Role Privileges in vCenter 6.7 |
Role Privileges in vCenter 6.5 |
Role Privileges in vCenter 6.0 |
Required to deploy the Clumio Cloud Connector |
Required for Clumio Cloud Connector to perform Backup/Restore |
Description |
|
Cryptographic Operations Privileges |
Cryptographic Operations Privileges |
NA |
|||
|
Add disk |
Add disk |
NA |
✔ |
✔ |
Add a disk to an encrypted virtual machine. |
|
Direct access |
Direct access |
NA |
✔ |
✔ |
Access encrypted resources. |
|
Encrypt |
Encrypt |
NA |
✔ |
✔ |
Encrypt a virtual machine or a virtual machine disk. |
|
Register VM |
Register VM |
NA |
✔ |
✔ |
Register an encrypted virtual machine with an ESXi host. |
|
Datastore Privileges |
Datastore Privileges |
Datastore Privileges |
|||
|
Allocate space |
Allocate space |
Allocate space |
✔ |
Allocate space on a datastore for a virtual machine, snapshot, clone, or virtual disk. |
|
|
Browse datastore |
Browse datastore |
Browse datastore |
✔ |
Browse files on a datastore. Used to locate virtual machine files on disk and verify that files exist. |
|
|
Configure datastore |
Configure datastore |
Configure datastore |
✔ |
Configure a datastore. |
|
|
Low level file operations |
Low level file operations |
Low level file operations |
✔ |
Perform read, write, delete, or rename operations for the datastore. Used to read virtual machine configuration files. |
|
|
Remove file |
Remove file |
Remove file |
✔ |
Delete files in the datastore. |
|
|
Update virtual machine files |
Update virtual machine files |
Update virtual machine files |
✔ |
Update file paths to virtual machines on a datastore. |
|
|
Global Privileges |
Global Privileges |
Global Privileges |
|||
|
Diagnostics |
Diagnostics |
Diagnostics |
✔ |
Retrieve a list of diagnostic files, log header, binary files, or diagnostic bundle. |
|
|
Disable methods |
Disable methods |
Disable methods |
✔ |
Disable specific operations on objects managed by vCenter Server. |
|
|
Enable methods |
Enable methods |
Enable methods |
✔ |
Enable specific operations on objects managed by vCenter Server. |
|
|
Manage custom attributes |
Manage custom attributes |
Manage custom attributes |
✔ |
Add, remove, or rename custom field definitions. |
|
|
Set custom attribute |
Set custom attribute |
Set custom attribute |
✔ |
View, create, or remove custom attributes for a managed object. |
|
|
vSphere Tagging Privileges |
vSphere Tagging Privileges |
NA |
|||
|
Assign or Unassign vSphere tag |
Assign or Unassign vSphere tag |
NA |
✔ |
Assign or unassign a tag for an object in the vCenter Server inventory. |
|
|
Create vSphere tag |
Create vSphere tag |
NA |
✔ |
Create a tag for a restored virtual machine. |
|
|
Create vSphere tag category |
Create vSphere tag category |
NA |
✔ |
Create a tag category. |
|
|
Edit vSphere tag |
Edit vSphere tag |
NA |
✔ |
Edit a tag. |
|
|
Edit vSphere tag category |
Edit vSphere tag category |
NA |
✔ |
Edit a tag category. |
|
|
Network Privileges |
Network Privileges |
Network Privileges |
|||
|
Assign network |
Assign network |
Assign network |
✔ |
Assign a network to a virtual machine. Used to create a virtual machine on a network. |
|
|
Resource Privileges |
Resource Privileges |
Resource Privileges |
|||
|
Assign vApp to resource pool |
Assign vApp to resource pool |
Assign vApp to resource pool |
✔ |
Assign a Clumio Cloud Connector to a resource pool. |
|
|
Assign virtual machine to resource pool |
Assign virtual machine to resource pool |
Assign virtual machine to resource pool |
✔ |
Assign/register a virtual machine to a resource pool during backups or when restoring to a resource pool. |
|
|
vApp Privileges |
vApp Privileges |
vApp Privileges |
|||
|
Create |
Create |
Create |
✔ |
Deploy the Clumio Cloud Connector. |
|
|
Import |
Import |
Import |
✔ |
Import a Clumio Cloud Connector into vSphere. |
|
|
vApp application configuration |
vApp application configuration |
vApp application configuration |
✔ |
Modify the internal structure, including the product information and properties, of a Clumio Cloud Connector. |
|
|
vApp instance configuration |
vApp instance configuration |
vApp instance configuration |
✔ |
Modify the instance configuration, include the policies, of a Clumio Cloud Connector. |
|
|
Virtual Machine / Configuration Privileges |
Virtual Machine / Configuration Privileges |
Virtual Machine / Configuration Privileges |
|||
|
Acquire disk lease |
Disk lease |
Disk lease |
✔ |
Perform disk lease operations for a virtual machine. |
|
|
Add existing disk |
Add existing disk |
Add existing disk |
✔ |
Add an existing virtual disk to a virtual machine. |
|
|
Add new disk |
Add new disk |
Add new disk |
✔ |
Create a new virtual disk to add to a virtual machine. |
|
|
Add or remove device |
Add or remove device |
Add or remove device |
✔ |
Add or remove any non-disk device. Used to add a SCSI controller or restore a non-disk device configuration. |
|
|
Advanced configuration |
Advanced |
Advanced |
✔ |
Add or modify advanced parameters in a virtual machine's configuration file. |
|
|
Change CPU Count |
Change CPU Count |
Change CPU Count |
✔ |
Change the number of virtual CPUs. |
|
|
Change Memory |
Memory |
Memory |
✔ |
Change the amount of memory allocated to the virtual machine. |
|
|
Change Settings |
Settings |
Settings |
✔ |
Change general virtual machine settings. |
|
|
Change Swapfile placement |
Swapfile placement |
Swapfile placement |
✔ |
Change the swapfile placement policy for a virtual machine. |
|
|
Change resource |
Change resource |
Change resource |
✔ |
Change the resource configuration of a set of virtual machine nodes in a given resource pool. |
|
|
Configure Host USB device |
Host USB device |
Host USB device |
✔ |
Attach a host-based USB device to a virtual machine. |
|
|
Configure Raw device |
Raw device |
Raw device |
✔ |
Add or remove a raw disk mapping or SCSI pass-through device, overriding other privileges for modifying raw devices, including connection states. |
|
|
Configure managedBy |
Configure managedBy |
Configure managedBy |
✔ |
Configure managedBy on a virtual machine. |
|
|
Display connection settings |
Display connection settings |
Display connection settings |
✔ |
Configure virtual machine remote console options. |
|
|
Extend virtual disk |
Extend virtual disk |
Extend virtual disk |
✔ |
Expand the size of a virtual disk. |
|
|
Modify device settings |
Modify device settings |
Modify device settings |
✔ |
Change the properties of an existing device. |
|
|
Query Fault Tolerance compatibility |
Query Fault Tolerance compatibility |
Query Fault Tolerance compatibility |
✔ |
Verifies if a virtual machine is compatible for fault tolerance. |
|
|
Query unowned files |
Query unowned files |
Query unowned files |
✔ |
Query unowned files. |
|
|
Reload from path |
Reload from path |
Reload from path |
✔ |
Change a virtual machine configuration path while preserving the identity of the virtual machine. |
|
|
Remove disk |
Remove disk |
Remove disk |
✔ |
Remove a virtual disk. |
|
|
Rename |
Rename |
Rename |
✔ |
Rename a virtual machine or modify the associated notes for a virtual machine. |
|
|
Reset guest information |
Reset guest information |
Reset guest information |
✔ |
Edit the guest operating system information for a virtual machine. |
|
|
Set annotation |
Set annotation |
Set annotation |
✔ |
Add or edit a virtual machine annotation. |
|
|
Toggle disk change tracking |
Disk change tracking |
Disk change tracking |
✔ |
Enable or disable change tracking for the virtual machine's disks. |
|
|
Toggle fork parent |
Toggle fork parent |
NA |
✔ |
Enable or disable a VMFork parent. |
|
|
Upgrade virtual machine compatibility |
Upgrade virtual machine compatibility |
Upgrade virtual machine compatibility |
✔ |
Upgrade a virtual machine's virtual machine compatibility version (e.g., virtual hardware version). |
|
|
Virtual Machine / Inventory Privileges |
Virtual Machine / Inventory Privileges |
Virtual Machine / Inventory Privileges |
|||
|
Create from existing |
Create from existing |
Create from existing |
✔ |
Create a virtual machine by cloning based on an existing virtual machine, or by deploying from a template. |
|
|
Create new |
Create new |
Create new |
✔ |
Create a virtual machine and the allocation of its resources. |
|
|
Register |
Register |
Register |
✔ |
Add an existing virtual machine to a vCenter Server or host inventory. |
|
|
Remove |
Remove |
Remove |
✔ |
Delete a virtual machine and remove its underlying files from disk. |
|
|
Unregister |
Unregister |
Unregister |
✔ |
Unregister a virtual machine from a vCenter Server or host inventory. |
|
|
Virtual machine / Interaction Privileges |
Virtual machine / Interaction Privileges |
Virtual machine / Interaction Privileges |
|||
|
Console interaction |
Console interaction |
Console interaction |
✔ |
Enable interaction with the virtual machine’s virtual mouse, keyboard, and screen. |
|
|
Power off |
Power off |
Power off |
✔ |
✔ |
Power off a powered-on virtual machine. Powers down the guest operating system. |
|
Power on |
Power on |
Power on |
✔ |
✔ |
Power on a powered-off virtual machine and resumes a suspended virtual machine. |
|
Reset |
Reset |
Reset |
✔ |
✔ |
Reset a virtual machine and reboot the guest operating system. |
|
Suspend |
Suspend |
Suspend |
✔ |
✔ |
Suspend a powered-on virtual machine and places the guest in standby mode. |
|
Virtual Machine / Provisioning Privileges |
Virtual Machine / Provisioning Privileges |
Virtual Machine / Provisioning Privileges |
|||
|
Allow disk access |
Allow disk access |
Allow disk access |
✔ |
Open a disk on a virtual machine for random read and write access. |
|
|
Allow read-only disk access |
Allow read-only disk access |
Allow read-only disk access |
✔ |
Open a disk on a virtual machine for random read access. |
|
|
Allow virtual machine download |
Allow virtual machine download |
Allow virtual machine download |
✔ |
Perform read operations on files associated with a virtual machine. Examples of associated files include vmx, disks, logs, and NVRAM. |
|
|
Clone template |
Clone template |
Clone template |
✔ |
Clone a template. |
|
|
Clone virtual machine |
Clone virtual machine |
Clone virtual machine |
✔ |
Clone an existing virtual machine and allocate resources. |
|
|
Customize |
Customize |
Customize |
✔ |
Customize a virtual machine's guest operating system without moving the virtual machine. |
|
|
Modify customization specification |
Modify customization specification |
Modify customization specification |
✔ |
Create, modify, or delete customization specifications. |
|
|
Promote disks |
Promote disks |
Promote disks |
✔ |
Perform promote operations on a virtual machine's disk. |
|
|
Read customization specifications |
Read customization specifications |
Read customization specifications |
✔ |
Read a customization specification. |
|
|
Virtual Machine / Snapshot Management Privileges |
Virtual Machine / Snapshot Management Privileges |
Virtual Machine / Snapshot Management Privileges |
|||
|
Create snapshot |
Create snapshot |
Create snapshot |
✔ |
Create a snapshot from a virtual machine's current state. |
|
|
Remove snapshot |
Remove snapshot |
Remove snapshot |
✔ |
Remove a snapshot from the snapshot history. |
|
|
Rename snapshot |
Rename snapshot |
Rename snapshot |
✔ |
Change the name or description of a snapshot. |
|
|
Revert to snapshot |
Revert to snapshot |
Revert to snapshot |
✔ |
Set a virtual machine to the state it was in for a given snapshot. |
Validation:
- Deploy the Clumio Cloud Connector VM using the OVF and power on the same (detailed steps available at https://support.clumio.com/hc/en-us/articles/360028033271-User-Guide)
- Login to the Web Console of the Clumio Cloud Connector VM and provide the Clumio service account credentials.
- Upon applying changes you should get the below success message in case the Clumio service account has been setup properly.
Contact:
Please contact support@clumio.com in case of any clarifications or questions.
Comments
0 comments
Please sign in to leave a comment.