To configure your vCenter Adapter instance in VMware Aria Operations, you need sufficient privileges to monitor and collect data and to perform vCenter Server actions. You can configure these permissions as a single role in vCenter Server to be used by a single service account or configure them as two independent roles for two separate service accounts.

The vCenter Adapter instance monitors and collects data from vCenter Server and the vCenter Action adapter performs some actions in vCenter Server. So, for monitoring or collecting vCenter Server inventory and their metrics and properties, the vCenter Adapter instance needs credentials with the following privileges activated in vCenter Server.
Note: The vCenter Server System Roles is created as a Read Only role with three system-defined privileges:: System.Anonymous, System.View, and System.Read. See, Using Roles to Assign Privileges.
Table 1. Privileges for Configuring a vCenter Adapter: Monitoring and Data Collection
Task Privilege

Property Collection

System > Anonymous
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere.

Objects Discovery

Events Collection

Profile-Driven Storage > View

Storage views > View

Profile-Driven Storage > Profile-Driven Storage View

Datastore > Browse Datastore

System > View
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere.
Performance Metrics Collection

Performance > Modify intervals

System > Read
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere.
Service Discovery

For credential-based service discovery

Virtual Machine > Guest Operations > Guest Operation alias modification

Virtual Machine > Guest Operations > Guest Operation alias query

Virtual Machine > Guest Operations > Guest Operation modifications

Virtual Machine > Guest Operations > Guest Operation program execution

Virtual Machine > Guest Operations > Guest Operation queries

For credential-less service discovery

Virtual machine > Service configuration > Manage service configurations

Virtual machine > Service configuration > Modify service configuration

Virtual machine > Service configuration > Query service configurations

Virtual machine > Service configuration > Read service configuration

VC Plugin

Extension > Register extension

Extension > Unregister extension

Extension > Update extension

Orphaned Disk

Datastore > Browse datastore

Authentication on VMware Aria Operations using VC User and apply actions

privilege.Global.com.vmware.label > VMware Aria Operations Read Only Role

privilege.Global.com.vmware.label > VMware Aria Operations Power User Role

Optimize Container

Schedule Optimize Container

Automate Optimize Container

  • AutoDeploy -> Rule -> Create
  • AutoDeploy -> Rule -> Delete
  • AutoDeploy -> Rule -> Edit
  • AutoDeploy -> RuleSet -> Activate
  • AutoDeploy -> RuleSet -> Edit
  • Datastore -> Allocate Space
  • Global -> Global tag
  • Global -> System tag
  • Host -> Inventory -> Manage Cluster Lifecyle
  • Host -> Inventory -> Modify cluster
  • Resource -> Assign virtual machine to resource pool
  • Resource -> Migrate powered off virtual machine
  • Resource -> Migrate powered on virtual machine
  • Resource -> Query vMotion
  • Storage views -> Configure service
  • Storage views -> View
  • Virtual machine -> Edit Inventory > Move
Privilege required for vCenter version 7.x:
  • Profile-driven storage -> Profile-driven storage update
  • Profile-driven storage -> Profile-driven storage view
Privilege required for vCenter version 8.x :
  • VM storage policies -> Apply VM storage policies
  • VM storage policies -> Update VM storage policies
  • VM storage policies -> VM storage policies edit permissions
  • VM storage policies -> VM storage policies view permissions
  • VM storage policies -> View VM storage policies
Provide data to vSphere Predictive DRS

External stats provider > Update

External stats provider > Register

External stats provider > Unregister

vSphere Stats Privileges > Collect Stats Data

vSphere Stats Privileges > Modify Stats Configuration

vSphere Stats Privileges > Query Stats Data

Tag Collection

Global > Global tag

Global > Global health

Global > Manage custom attributes
Note: This privilege is required only if the tags are associated with custom attributes.

Global > System tag

Global > Set custom attribute

Monitoring and collecting data from vSphere with Tanzu Administrator
Note: Users with Non-Administrator or custom role must be added to the ServiceProviderUser group. Administrator > Single Sign On > Users and Groups > Groups.

The ServiceProviderUsers is a group in the vCenter Server Single Sign-On Domain. Members of this group can manage the vSphere with Tanzu and VMware Cloud on AWS infrastructure.
Add License to vCenter Global. Licenses
Table 2. Privileges for Configuring a vCenter Adapter: Performing vCenter Server Actions
Task Privilege
Set CPU Count for VM Virtual Machine > Configuration > Change CPU Count
Set CPU Resources for VM Virtual Machine > Configuration > Change Resource
Set Memory for VM Virtual Machine > Configuration > Change Memory
Set Memory Resources for VM Virtual Machine > Configuration > Change Resource
Delete Idle VM Virtual machine > Edit Inventory > Remove
Delete Powered Off VM Virtual machine > Edit Inventory > Remove
Create Snapshot for VM Virtual Machine > Snapshot Management > Create Snapshot
Delete Unused Snapshots for Datastore Virtual Machine > Snapshot Management > Remove Snapshot
Delete Unused Snapshot for VM Virtual Machine > Snapshot Management > Remove Snapshot
Power Off VM Virtual Machine > Interaction > Power Off
Power On VM Virtual Machine > Interaction > Power On
Shut Down Guest OS for VM Virtual Machine > Interaction > Power Off
Move VM
  • Resource > Assign Virtual Machine to Resource Pool
  • Resource > Migrate Powered Off Virtual Machine
  • Resource > Migrate Powered On Virtual Machine
  • Datastore > Allocate Space
  • Virtual machine -> Edit Inventory > Move
Note: Combining these four permissions allows the service account to perform Storage vMotion and regular vMotion of an object therefore allowing VMware Aria Operations to perform the given operations.
Set DRS Automation Host > Inventory > Modify Cluster
Provide data to vSphere Predictive DRS

External stats provider > Update

External stats provider > Register

External stats provider > Unregister

Reboot Guest OS for VM

Virtual machine > Interaction > Reset

For more information about tasks and privileges, see Required Privileges for Common Tasks in the vSphere Virtual Machine Administration Guide and Defined Privileges in the vSphere Security Guide.