The CNS vSphere user must have specific privileges to perform operations related to Cloud Native Storage.
For more information about roles and permissions in vSphere, and how to create a role, see the vSphere Security documentation.
|Role Name||Privilege Name||Description||Required On|
|CNS-Datastore||Datastore > Low level file operations||Allows performing read, write, delete, and rename operations in the datastore browser.||Shared datastore where persistent volumes reside.|
|CNS-HOST-CONFIG-STORAGE||Host > Configuration > Storage partition configuration||Allows vSAN datastore management.||Required on a vSAN cluster with vSAN file service. Required for file volume only.|
|CNS-VM||Virtual machine > Change Configuration > Add existing disk||Allows adding an existing virtual disk to a virtual machine.||All cluster node VMs.|
|Virtual Machine > Change Configuration > Add or remove device||Allows addition or removal of any non-disk device.|
|CNS-SEARCH-AND-SPBM||CNS > Searchable||Allows storage administrator to see Cloud Native Storage UI.||Root vCenter Server.|
|Profile-driven storage > Profile-driven storage view||Allows viewing of defined storage policies.|
|Read-only||Default role|| Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can find the shared datastore accessible to all node VMs.
For zone and topology-aware environments, all ancestors of node VMs, such as a host, cluster, and data center must have the Read-only role set for the vSphere user configured to use the CSI driver and CCM. This is required to allow reading tags and categories to prepare the nodes' topology.
|All hosts where the nodes VMs reside