> Software > Protect > Virtual machines > VMware vSphere > Backup

Create VMware permissions for Commvault using a PowerShell script

Create a vCenter role with the permissions that Commvault needs to discover, back up, and restore the VMware vSphere VMs that you want to protect.

Requirements

  • A computer that can connect to the vCenter server

  • VMware PowerCLI installed on the computer where you run the script

  • A vCenter account that can create roles

Procedure

  1. Download these files to the computer that can connect to the vCenter server:

  2. If your vCenter server uses a self-signed or untrusted certificate, run the following command:

    Powershell.exe Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Scope User

  3. From the folder that contains the script and the permissions file, run the following command to create the role:

    Powershell.exe -File CreateCVRole.ps1 -Role "role" -Server "vcenter_server_fqdn"

    Where:

    • [role] is the name of the role.

    • [vcenter_server_fqdn] is the fully qualified domain name of the vCenter server.

  4. In vCenter, assign the role to one or more vCenter user accounts you intend to use to connect Commvault to vCenter.

    The user accounts must have access to the inventory objects that contain the VMs you want to protect.

Transport mode considerations

Some transport modes (such as HotAdd) rely on additional VMware operations (for example, attaching disks to the access node). If transport mode operations fail, confirm that:

  • You used the role created by this script for the vCenter credential in Commvault.

  • The role is assigned at the correct inventory scope for the VMs you want to protect.

Limit the vCenter account to a subset of inventory

Use this approach if multiple teams share the same vCenter and you want the Commvault vCenter credential to access only a specific set of VMs.

  1. In vCenter, assign the role to the user account at the inventory level that you want to protect, such as a datacenter, cluster, folder, resource pool, or individual VM.

  2. If needed, assign a No access role to inventory that must be hidden from the same user account.

If the scope is too restrictive, backups or restores can fail because required objects such as restore targets, datastores, or hosts aren’t accessible.

If the protected scope changes, update the vCenter permissions.

×

Loading...