Scenario
You have a VMware vSphere infrastructure and protect it with Acronis Cyber Backup software. To ensure successful operation of Acronis software, please make sure that the vSphere account used by Acronis Cyber Backup matches these requirements in terms of available vSphere permissions for this account. However not only the vSphere permissions are important, but also the vSphere objects where these permissions are applied to and whether the permissions propagation is enabled or not.
For example, "Restore into new VM" operation requires different privileges than backup (especially in a multi-tenant vCenter environment) and you still need to Propagate permissions to some extent. The solution section describes how to ensure successful restore with minimal permission propagation.
Solution
Set up a limited vSphere account and apply permissions for this account to these vSphere objects:
- On vCenter level - "Propagate" not enabled
- On DataCenter level - "Propagate" not enabled
- On vSphere cluster - "Propagate" not enabled
If VMs on root cluster level need to be managed, then "Propagate" must be enabled. Otherwise, make sure to apply permissions to the child Resource Pool inside the cluster that will be used as target for VM recovery). - On Datastore level - "Propagate" not enabled
- On ESXi host level - "Propagate" enabled
- On vSwitch/dvSwitch level - "Propagate" enabled
To set up a new user account:
- In vSphere Web Client, navigate to Administration ->Single Sign-On -> Users and Groups.
- On the Users tab, click the New User icon to add a new user.
- Type a user name and password for the new user.
- Specify the email address for the new user.
- Select the type of permissions the user is granted.
To set up a new role in vCenter:
- In vSphere Web Client, select Home, click Administration, and click Roles.
- Click the Create role action (+) icon.
- Type a name (for example, BackupRestoreRole) for the new role.
- Select these privileges for the role and click OK.
To apply permissions:
- In VMware vSphere console, connect to the relevant vCenter.
- Right-click this vCenter and click Add Permission.
- Add the newly created user, assign it with BackupRestoreRole and leave the Propagate to children check-box unchecked.
- Right-click the child data center. Repeat steps 2-3.
- Right-click the child cluster. Repeat steps 2-3.
- Right-click the ESXi host that will host the recovered machine(s). Click Add Permission. Add the newly created user, assign it with BackupRestoreRole and mark the Propagate to children check-box.
- Right-click the Resource pool that will be used as target for VM recovery. Click Add Permission. Add the newly created user, assign it with BackupRestoreRole and mark the Propagate to children check-box.
- Switch to Datastores view and right-click the relevant datastore which will be used as target for VM recovery. Repeat steps 2-3.
- Right-click the relevant vSwitch/dvSwitch it and click Add Permission. Add the newly created user, assign it with BackupRestoreRole and mark the Propagate to children check-box.
- Specify this newly created user for connection to vCenter in Acronis Cyber Backup software by changing this user if you have Agent for VMware already registered (or deploy new agent using the prepared vSphere account):