Orange County, Tustin, CA 92780

VMware Backup Solution Missing Privileges

VMware Missing Privileges

There are plenty of solutions on the market for backing up your VMware vSphere environment, and all are constantly being updated. As you move from one version of VMware vSphere to the next, vendor documentation sometimes is not appropriately updated to include the necessary permissions for your backup software to do its tasks properly. Calling support is not always the ideal solution because some techs are just going by what their official documentation states - we just covered that their manuals aren't constantly updated (or specific sections). So what do you do?

I know that many administrators and engineers will usually grant the Administrator Role in VMware vSphere and be done with it. But remember that all solutions give you a list of required permissions for a reason:  It's best practice to provide only the necessary permissions and nothing more. 

The Fix

 First, check the documentation to ensure you have not missed a step. If you have confirmed that you have not missed anything, let's look at Events for the particular ESXi host to look for the missing required privileges. 

Find Missing Permissions

  1. Log on to your vSphere Client.
  2. Select Hosts and Clusters.
  3. Select the ESXi host that attempted to backup your VMs.
  4. On the Monitor tab, expand Tasks and Events, then select Events.
  5. Under the Description column, click on the filter icon and type "missing" to find entries with that word.
    esxi host events backup missing privilege
  6. You'll need to expand each entry to see exactly what is missing and take note of each permission listed. Remember that there is a Next link above the entries, and you may have to browse several pages. 

From the screenshot above, you can see that I'm missing a privilege named Host.Config.Image. As I continued scrolling thru the multiple pages within events, I saw another privilege for Resource.ColdMigrate. Be advised that while the privileged stated in the events are called out with a specific name, the names may be slightly different when you go to the Roles section but is similar enough that you can make an educated guess on its updated name. No, WMware doesn't make it easy.

Add Missing Permissions

  1. Navigate to the Configuration UI.
    1. From the Home menu, select Administration.
    2. Under Access Control, click Roles.
  2.  Select the appropriate role you have created for your backup application. In my case, I have a role called Veeam Backup, and click Edit.
    missing backup privileges
  3.  Scroll on the left-hand side of the parent permissions until you find the first missing one named Host, then scroll on the right-hand side until you find Configuration, then Image Configuration. Click Save
  4. Repeat the steps for the remaining missing privileges.

You'll notice what is shown here versus what you saw earlier when looking for the missing privileges are slightly different since the permissions were abbreviated:  Host.Config.Image. Like I said earlier, VMware doesn't always make it easy, but it's not difficult, either. 




Byron Zepeda

Byron Zepeda is a Senior Systems Engineer in Orange County, California, working with VMware vSphere, Citrix Virtual Apps, backups, and storage. As cloud technologies and automation become first-class citizens within IT organizations, he desires to share everything he learns and pass it on to others.