Enterprise customers running complex vSphere environments with multiple users usually intend to restrict access to the environment as much as possible. This is true for interactive users who get specific view and permissions to the objects they need but also for service users leveraged by other components to access vCenter. This article covers vRealize Operations and vRealize LogInsight and shows what minimum permissions are required on vCenter side to make integration work.
vRealize Operations 6.1
vRealize uses 3 types of users to access vCenter environments through the management pack. While in small environments all three parts can use the same administrative account it's also possible to use different permissions for each functionality.
vCenter Collector user
This is the most important user that queries information from vCenter and receives metric data. As this user does not need any write access to vCenter, read-only permissions (existing role can be used) usually on datacenter or vCenter server level are sufficient. In case the view from vRealize Operations should be limited to a cluster, hosts or other components the scope of the user in question has to be defined more granularly.
Find some more information about it here: Add a vCenter Adapter Instance
vCenter Registration user
When adding a new vCenter Adapter configuration to vRealize Operations, registration of the vROps server with the vCenter system has to be done once. This user requires some limited write permissions, like shown in the screenshot below.
Find more information here: VMware vCenter Operations Manager 5.8 (this document has been created for an older version but the permission structure in general applies to 6.1 still)
vCenter Python Actions Adapter
vRealize Operations provides the ability to run actions/tasks on objects it manages. For vSphere this typically relates to VM lifecycle operations like shown in the screenshot below:
To access above mentioned actions and execute them on the related vCenter server a python interface is used. Obviously this requires proper permissions to allow running tasks on vCenter objects. As best practice it's recommended to create a role on vCenter which only enables the actions that are desired.
Find more information here: Add a vCenter Python Actions Adapter Instance
E.g. if a customer desires to only allow power on and power off actions a permission structure would look like shown here:
Other examples for custom python permissions:
- Power Off VM: - Virtual Machine\Interaction\Power Off
- Power On VM - Virtual Machine\Interaction\Power On
- Set CPU Count for VM - Virtual Machine\Configuration\Change CPU Count (If you want to power off you will need the power off privilege above. If you want to take a snapshot you will need the create snapshot privilege)
- Set Memory for VM - Virtual Machine\Configuration\Memory
- Set CPU Resources for VM - Virtual Machine\Configuration\Change Resource
- Set CPU Count &Memory for VM - Virtual Machine\Configuration\Change CPU Count, Virtual Machine\Configuration\Memory (If you want to power off you will need the power off privilege above. If you want to take a snapshot you will need the create snapshot privilege)
- Delete Unused Snapshots for VM - Virtual Machine\Snapshot Management\Remove Snapshot (user must also have read access to the host that the vm is running on)
- Shutdown Guest OS for VM - Virtual Machine\Interaction\Power Off
vRealize LogInsight 3.0
vRealize LogInsight has a simpler permissions structure. In terms of vCenter connection basically read-only permission are enough. However to inject and configure logging (add a new syslog destination) in related ESXi hosts two additional permissions are required.
Note: Make sure that access permissions are configured on top level folder of vCenter and that "propagate to children" is enabled.