I've been going onto each of my ESX hosts and creating a new account called "backup" that I then use in a --config file to backup that host using the vicfg-cfgbackup.pl script. Just to get it to work they way I created this users was to add him to both "root" and "localadmin" groups. Then I went to the permissions tab and added that user to the "Administrator" role. This is obviously an overkill in permissions. I was wondering if someone had experimented with the minimum permissions necessary to backup the config on an ESXi server.
-Gunnar
esxcfg-cfgbackup/vicfg-cfgbackup script actually uses the following vSphere API call: BackupFirmwareConfiguration, if you look at the bottom of the function definition in the you'll see it describe the required privileges to access this function Host.Config.Firmware ... there probably will be other privileges but you'll need at least this.
=========================================================================
William Lam
VMware vExpert 2009
VMware ESX/ESXi scripts and resources at:
VMware Code Central - Scripts/Sample code for Developers and Administrators
![]()
If you find this information useful, please award points for "correct" or "helpful".
Thanks for the input. I have setup a new role that only has the access needed for backup, however I'm still lost on the Groups. What groups would this person need to be a member of?
Gunnar
I know this is an old post but we ran into the same problem in finding out what permissions to give an account to just be able to copy our Host configs.
We scripted this in powershell to do a nightly backup of each host to its own folder, with each backup file getting the date appended to the front of the filename. We retain 14 copies and each night the job then deletes the oldest copy of the backup.
We created an AD User for this so we could use Windows task scheduler on our vCenter server to run the job.
On your vCenter clone the Read Only role and name it something like Host Config Backup
Then edit the role permissions and under Host, Configuration: check the Firmware box.
At the vCenter level, go to the Permissions tab and add your AD user and grant it the Host Config Backup role
Now your script should be able to run against your hosts.
Again the minimum required permission on your new Role will be Host, Configuration, Firmware
If you don't have vCenter and AD integration, you can add the role individually to each host and add that user to your script and run it against them.
part..
