Quickref: Required vCenter permissions for vOPS service account user

The easiest way to set up a connection from our virtual appliance to your vCenter server(s) is to use an account that has full admin rights. However, in many cases, this is either not desired or not possible due to company security policies. Luckily, it is also not necessary.

The permissions that are needed by vOPS have levels which relate to the kind of operations that are in use. Below is a list of permissions that are needed at a bare minimum for various functions.

Always required:

• Read-only access to entire infrastructure.
• Datastore -> Browse datastore.

Required for Performance Analyzer real-time analysis:

• Alarms -> Create alarm
• Alarms -> Modify alarm
• Alarms -> Remove alarm
• Alarms -> Set alarm status
• Alarms -> Acknowledge alarm
• Alarms -> Disable alarm action

Required for any kind of automation:

• Virtual Machine -> Configuration -> Advanced
• Virtual Machine -> Configuration -> Change CPU count
• Virtual Machine -> Configuration -> Settings
• Virtual Machine -> Configuration -> Memory
• Virtual Machine -> Interaction -> Power On
• Virtual Machine -> Interaction -> Power Off
• Scheduled Task -> Create task
• Scheduled Task -> Run task
• Scheduled Task -> Delete task

Required for adding the VC plugin:

• Extension -> Register extension
• Extension -> Unregister extension
• Extension -> Update extension

So, for a user that will do everything, just clone Read-Only and then add these permissions:

Datastore.Browse Datastore

ScheduledTask.Create

ScheduledTask.Run

ScheduledTask.Delete

VirtualMachine.Interact.PowerOn

VirtualMachine.Interact.PowerOff

VirtualMachine.Config.CPUCount

VirtualMachine.Config.Memory

VirtualMachine.Config.Resource

Extension.Register

Extension.Unregister

Extension.Update

Alarms.Acknowledge alarm

Alarms.Create alarm

Alarms.Disable alarm action

Alarms.Modify alarm

Alarms.Remove alarm

Alarms.Set alarm status