Netbackup 7 Permissions needed to Backup VM’s in vCenter 4.x

Summary:
Symantec will tell you that full administrator is needed to backup systems properly.  It is the easiest way, but I’m here to tell you that is not required.  There are two things that need to be done:
  1. Create a proper security role
  2. Apply that role to the various different nodes in vCenter
Details: (Update to Role Perms can be found here.)
Role Permissions needed (we’ll call it Netbackup Role):
Privilege Group Privilege(s) to Enable
Datastore Allocate Space
Browse Datastore
Low level file operations
Global Licenses
Configuration Add existing disk
Add new disk
Change resource
Disk lease
Remove disk
Settings
Provisioning Allow disk access
Allow read-only disk access
Allow virtual machine download
State Create Snapshot
Remove Snapshot
Next, you need to apply permissions to the correct nodes in vCenter:
  1. Apply the Netbackup service account w/ the Netbackup Role to the vCenter Node.
    1. Propagate down if you want everything under the vCenter node to be backed up.  If not, then do not check the ‘propagate’ checkbox and continue to next steps.
    2. vCenter Node
  2. If you are continuing, that means you probably have multiple datacenters.  Next is to simply apply the Netbackup service account w/ the Netbackup Role to the Datacenter’s you want to be backed up.
    1. Go ahead and propagate down for all datacenters you want backed up.  You’re finished @ this point if there are no hosts/clusters or vm’s that need to be omitted.  Otherwise continue forward.
    2. vCenter DC Node
  3. Next, to omit certain hosts/clusters, simply select the host/cluster that you would like to omit from backups, find the netbackup account under the permissions tab and change it’s role to ‘no access’ (if Netbackup has problems @ this point, you may need to change the role to ‘read-only’)
    1. This same idea applies to VM’s and folders, if you use them.
    2. vCenter Cluster Node
That’s pretty much it.  I would recommend this practice for any size shop since you never want a generic service account to have more access than it needs.  Questions?  Did I get something wrong?  Leave comments please.