2 Replies Latest reply: Dec 10, 2015 6:29 AM by Vijay Tonapi RSS

    What are the minimum permissions for creating snapshots through Vmware? "Administrator" rights are off the table.

    Vijay Tonapi Wayfarer

      Our snapshots were failing and during the investigation, found that our user doesn't have the correct permissions in Vmware.

       

      Message: Failed to create vCenter snapshot associated with volume collection XXXX1 schedule Nimble-Exchange-4am because the system is unable to log into the vCenter server due to an incorrect user name VMstorage or password. Verify the user name and password are correct.

       

      Our Vmware admins will not allow Nimble to use an Administrator account due to concerns with security and general hesitation to allow anything/one admin access. What are the specific permissions required?

      Thanks!

        • Re: What are the minimum permissions for creating snapshots through Vmware? "Administrator" rights are off the table.
          Vijay Tonapi Wayfarer

          Support said they will be testing, documenting, and probably publishing the permissions in a week or so. I will update when it happens.

          • Re: What are the minimum permissions for creating snapshots through Vmware? "Administrator" rights are off the table.
            Vijay Tonapi Wayfarer

            This is what Support replied with:

            Privileges for NPM (Volume Collection Backups)

            “VirtualMachine.State.CreateSnapshot”,

            “VirtualMachine.State.RemoveSnapshot”

             

            If you try “Validate” on the vCenter Sync VolColl, it will check these permissions on all the VMs in the datastores of that VolColl.

            Privileges for vCenter Plugin

             

            "Datastore.AllocateSpace",

            "Datastore.Config",

            "Datastore.Delete",

            "Datastore.Move",

            "Datastore.Rename",

            "Extension.Update",

            "Global.CancelTask",

            "Host.Config.AdvancedConfig",

            "Host.Config.NetService",

            "Host.Config.Settings",

            "Host.Config.Storage",

            "StoragePod.Config",

            "System.Anonymous",

            "System.Read",

            "System.View",

            "Task.Create",

            "Task.Update"

             

            Along with these, we also expect the privileges in the “NimbleStorage” group should be included in any custom role the user creates.

             

             

            We tested it against Commvault Intellisnap requirements originally which failed. We removed all Nimble permissions, Verified Commvault Intellisnap permissions and it worked fine. The issue with OUR environment is that within Nimble protection configuration, we had to use <DOMAIN>/username for the user to integrate with Vmware. We may encounter issues in the future for not using all the permissions from Nimble vs. Commvault (there are differences) but at this rate, we have it working.