Unsolved
This post is more than 5 years old
42 Posts
0
137972
Quickref: Required vCenter permissions for vOPS service account user
The easiest way to set up a connection from our virtual appliance to your vCenter server(s) is to use an account that has full admin rights. However, in many cases, this is either not desired or not possible due to company security policies. Luckily, it is also not necessary.
The permissions that are needed by vOPS have levels which relate to the kind of operations that are in use. Below is a list of permissions that are needed at a bare minimum for various functions.
Always required:
- Read-only access to entire infrastructure.
- Datastore -> Browse datastore.
Required for Performance Analyzer real-time analysis:
- Alarms -> Create alarm
- Alarms -> Modify alarm
- Alarms -> Remove alarm
- Alarms -> Set alarm status
- Alarms -> Acknowledge alarm
- Alarms -> Disable alarm action
Required for any kind of automation:
- Virtual Machine -> Configuration -> Advanced
- Virtual Machine -> Configuration -> Change CPU count
- Virtual Machine -> Configuration -> Settings
- Virtual Machine -> Configuration -> Memory
- Virtual Machine -> Interaction -> Power On
- Virtual Machine -> Interaction -> Power Off
- Scheduled Task -> Create task
- Scheduled Task -> Run task
- Scheduled Task -> Delete task
Required for adding the VC plugin:
- Extension -> Register extension
- Extension -> Unregister extension
- Extension -> Update extension
So, for a user that will do everything, just clone Read-Only and then add these permissions:
Datastore.Browse Datastore
ScheduledTask.Create
ScheduledTask.Run
ScheduledTask.Delete
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.PowerOff
VirtualMachine.Config.CPUCount
VirtualMachine.Config.Memory
VirtualMachine.Config.Resource
Extension.Register
Extension.Unregister
Extension.Update
Alarms.Acknowledge alarm
Alarms.Create alarm
Alarms.Disable alarm action
Alarms.Modify alarm
Alarms.Remove alarm
Alarms.Set alarm status