Is there any way to use a lower privilege user for inventory of ESXi hosts using the ESXi OMSA client with WSMan credentials?
Currently, when doing a discovery through the primary NICS, we're having to put in ESXi console root credentials, not our preferred method. I've tried creating a readonly user on the ESXi host but when I use these new credentials for WSMan in the discovery range in place of the root ones they don't work. Any ideas anyone?
(PS this is for discovery of the ESXi primary network NICS, not the iDRAC connected NIC.)
You may have to refer to OMSA user guide. Here is a link to OMSA 6.5 user guide:
Page 24 (Section: Creating Server Administrator Users for
VMware ESX 4.X and ESXi 4.X) has info on configuring Server Administrator users. Not sure how much of it is helpful.
Hi, thanks for that. The manuals don't refer to creating service accounts with the principle of least privilege. I've done some testing, so for everyone else's benefit....
The best method is to create a console user on the esxi host, add this to the root users group but only assign it a read only role for the host. This ensures OpenManage has enough rights to scrape the inventory using the read only credentials for wsman.
I tried this but in my 5.5 environment I don't have a root group, or any other groups for that matter. I gave the user shell access then put in in a read-only role and in ome I get an 'unknown' health status. If I change my ws-man config to the root user, I get a healthy status. There has to be a way to set this up with a non-root account.
Thanks for the follow up. I'll try to find out more on this.
But I think that for discovery or possibly some of the inventory data we are
collecting from the ESXi box VMware requires the elevated privileges.
You can use a different (non root) user most likely. But it must have admin access. This is because we are running WSMan commands to collect the inventory and ESXi would require it.
I found a few other posts searching around. Perhaps there are ways to configure
the ESXi side of things to accept accounts with lower permissions(?) Or perhaps there is something we can do on the OME side in a future release. But at least according to these posts, there are some considerations that must be made.
Thanks and let me know if your searching comes up with anything else.
Found out a little bit more, for what it's worth...
WSMAN (which is the protocol we and others use to get inventory data from ESXi) cannot execute with read only account directly,
This ESXi document says to create a service account for CIM service.
There is a blog I found that says even the service account will not work without root access and it is an ESXi issue (again fwiw).