The vSphere user must have specific privileges to perform operations related to Cloud Native Storage.

You can create several roles to assign sets of permissions on the objects that participate in the Cloud Native Storage environment.

For more information about roles and permissions in vSphere, and how to create a role, see the vSphere Security documentation.

Role Name Privilege Name Description Required On
CNS-SPBM Profile-driven storage > Profile-driven storage update Allows changes to be made to VM storage policies, such as creating and updating storage VM storage policies. Root vCenter Server
Profile-driven storage > Profile-driven storage view Allows viewing of defined storage policies.
CNS-VM Virtual machine > Configuration > Add existing disk Allows adding an existing virtual disk to a virtual machine. All cluster node VMs
Virtual Machine > Configuration > Add or remove device Allows addition or removal of any non-disk device.
CNS-Datastore Datastore > Low level file operations Allows performing read, write, delete, and rename operations in the datastore browser. Shared datastore where persistent volumes reside
Read-only Default role Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can find the shared datastore accessible to all node VMs.

For zone and topology-aware environments, all ancestors of node VMs, such as a host, cluster, and data center must have the Read-only role set for the vSphere user configured to use the CSI driver and CCM. This is required to allow reading tags and categories to prepare the nodes' topology.

All hosts where the nodes VMs reside

Data center

CNS UI privilege.Cns.label > privilege.Cns.Searchable.label Allows storage administrator to see CNS UI.