SUMMARY
Explanation of the VMware permissions required to perform backups and restores.
DESCRIPTION
Required Permissions to Complete a Backup per VMWare documentation may be able to be limited to certain roles.
However, per the same VMWare documentation, VMWare states this:
Restore Permissions
To perform restore operations, the user account requires the Administrator role. For more information on this requirement, see Restore Virtual Machines from Backup section in the VMware Data Recovery Administration Guide.
Beyond the scope of the above VMWare KB, additional unlisted permissions are also required for VAPI and other uses to collect machine inventory and configuration information beyond the scope of simple VADP backup operations.
As such, Unitrends requires the user-supplied for authentication to vCenter to be a full admin of vCenter. As restore is a critical component of our solution, including recovery automation and testing, lesser permission sets will not be supported by Unitrends staff to avoid any complications or delays in emergency recovery actions. Unitrends also requires adding the root user credential of each managed ESX host for efficient backup and DR processes, which has the same permissions as Administrator, so lessening vCenter permissions does not provide a lesser access role as esx still runs as root only. Aka, there is no security enhancement provided by attempting to limit the vCenter permission set since we also require esx root permissions.
Unitrends strongly recommends customers leverage a non-user or service account that is vCenter local and not tied to active directory or other exploitable independent authentication systems.