VMware Permissions Reference
3 min read
When you target a VMware vCenter environment in Carbon, the service account you provide during the Setup Wizard needs a specific set of vCenter privileges to create the target VM, attach the migrated disks, configure resources, and bring the VM online.
This page is the canonical list. Grant these to the role the Carbon service account is assigned to (or, for less granular environments, grant Administrator at the vCenter level — though the privileges below are the minimum required and the preferred approach for production).
Datastore operations
Required for writing the migrated VM disks to the chosen datastore:
- Allocate space
- Browse datastore
- Low level file operations
- Remove file
- Update virtual machine files
Network configuration
Required for connecting the migrated VM to the target network you select in the migration wizard:
- Assign network
Resource management
Required for placing the migrated VM in the chosen resource pool:
- Assign vApp to resource pool
- Assign virtual machine to resource pool
Virtual machine configuration
Required for creating the target VM with the same CPU, memory, and disk configuration as the Azure source:
- Change Configuration
- Change CPU count
- Change Memory
- Add new disk
- Remove disk
- Rename
- Upgrade virtual machine compatibility
Inventory management
Required for creating, registering, and managing the target VM in the vCenter inventory:
- Create from existing
- Create new
- Move
- Register
- Remove
- Unregister
VM interactions
Required during first-boot and configuration of the migrated VM:
- Answer question
- Install VMware Tools
- Connect devices
- Configure CD media
Provisioning operations
Required for the disk-level work of copying source disk content into the target VM:
- Allow disk access
- Allow file access
- Customize guest
- Promote disks
How to grant these in vCenter
The recommended approach is to create a dedicated role with exactly these privileges, then assign the role to your Carbon service account at the appropriate vCenter scope:
- In the vSphere Client, navigate to Administration → Access Control → Roles.
- Click + to create a new role. Name it something operator-clear, e.g.
Carbon-Migration-Service. - Tick every privilege from the categories above.
- Save the role.
- Navigate to Administration → Access Control → Global Permissions (or to the specific inventory object you want to scope to, e.g. a datacenter or cluster).
- Add the Carbon service account, assign the Carbon-Migration-Service role, propagate to children if scoping at a parent level.
The Carbon service account can then authenticate to vCenter in the Setup Wizard with exactly the permissions it needs and no more.
What about ESXi (without vCenter)?
When targeting ESXi directly (no vCenter), Carbon uses local ESXi credentials. The host's root account always has the necessary privileges; for non-root service accounts, the same conceptual privilege grouping applies but is configured differently per ESXi host (rather than centrally in vCenter).
SSH must also be enabled on the target ESXi host — see Setup Wizard step 6 for context.
What about Hyper-V?
Hyper-V uses Windows security primitives (local administrators or domain accounts), not VMware-style fine-grained privileges. Local administrator on the target Hyper-V host is the typical grant. For centrally-managed Hyper-V via SCVMM, the SCVMM role assignment is what governs Carbon's access.
Further reading
- Carbon VMware permissions on smikar.com — the original reference page.
See also
- First-Time Setup (Setup Wizard) — where the vCenter credentials are entered.
- Migrate a VM — the workflow that uses the granted privileges.
Need help? support@smikar.com.