This topic describes the minimum privileges required by the vSphere BOSH CPI.

Overview of vSphere service account requirements

A vSphere admin must grant minimum privileges to the vSphere service account that VMware Tanzu Operations Manager uses to manage vSphere resources.

The Tanzu Operations Manager account needs privileges at both the vCenter server level and the Datacenter level.

The recommended permissions in this topic are configured using the API. UI permissions are not included because they vary between vSphere versions. API permissions are consistent across vSphere versions.

For more information about how permission levels and inheritance work in vSphere, see Hierarchical inheritance of permissions in the VMware documentation.

For more information about vSphere permissions, see vSphere permissions and user management tasks in the VMware documentation.

vCenter-level privileges

Tanzu Operations Manager assigns custom attributes to the virtual machines (VMs) it deploys to identify BOSH releases and job index information about each VM. vCenter APIs require vCenter server level access to manage these custom attributes.

The following table summarizes the privileges that a Tanzu Operations Manager account requires at the vCenter Server instance level. Some of these privileges are inherited, and others must be granted by a vCenter admin:

Object Privilege (API)
Role System.Anonymous
System.Read
System.View
Global Global.ManageCustomFields
Global.SetCustomField
Extension.Register
Profile-Driven Storage StorageProfile.Update
StorageProfile.View

Datacenter-level privileges

The following privileges must be set at the data center level:

Object Privilege (API)
Datastore Datastore.FileManagement
Network Network.Assign

Folder and datastore-level privileges

You must grant the following privileges on any entities in a datacenter where you will deploy Tanzu Operations Manager:

Datastore object

Privilege (API)
Datastore.AllocateSpace
Datastore.Browse
Datastore.DeleteFile
Datastore.FileManagement

Folder object

Tanzu Operations Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Tanzu Operations Manager applies changes.

Privilege (API)
Folder.Create
Folder.Delete
Folder.Move
Folder.Rename

Host object

Privilege (API)
Host.Inventory.EditCluster
Host.Configuration.SystemManagement (Required if using a vSAN with encryption enabled)

Inventory service object

Privilege (API)
InventoryService.Tagging.CreateTag
InventoryService.Tagging.EditTag
InventoryService.Tagging.DeleteTag

Resource object

When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Tanzu Operations Manager deploys the VM and powers it on.

Privilege (API)
Resource.AssignVMToPool
Resource.ColdMigrate
Resource.HotMigrate

Profile-driven storage object

Privilege (API)
StorageProfile.Update
StorageProfile.View

Virtual Machine object

See the following tables, describing Virtual Machines under the following categories:

  • Configuration
  • Guest Operations
  • Interaction
  • Inventory
  • Provisioning
  • Snapshot Management

Configuration

Privilege (API)
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.CPUCount
VirtualMachine.Config.Resource
VirtualMachine.Config.ManagedBy
VirtualMachine.Config.ChangeTracking
VirtualMachine.Config.DiskLease
VirtualMachine.Config.MksControl
VirtualMachine.Config.DiskExtend
VirtualMachine.Config.Memory
VirtualMachine.Config.EditDevice
VirtualMachine.Config.RawDevice
VirtualMachine.Config.ReloadFromPath
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.Rename
VirtualMachine.Config.ResetGuestInfo
VirtualMachine.Config.Annotation
VirtualMachine.Config.Settings
VirtualMachine.Config.SwapPlacement
VirtualMachine.Config.UpgradeVirtualHardware

Guest operations

Privilege (API)
VirtualMachine.GuestOperations.Execute
VirtualMachine.GuestOperations.Modify
VirtualMachine.GuestOperations.Query

Interaction

Privilege (API)
VirtualMachine.Interact.AnswerQuestion
VirtualMachine.Interact.SetCDMedia
VirtualMachine.Interact.ConsoleInteract
VirtualMachine.Interact.DefragmentAllDisks
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Interact.GuestControl
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Reset
VirtualMachine.Interact.Suspend
VirtualMachine.Interact.ToolsInstall

Inventory

Privilege (API)
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.Move
VirtualMachine.Inventory.Register
VirtualMachine.Inventory.Delete
VirtualMachine.Inventory.Unregister

Provisioning

When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.

The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.

Privilege (API)
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.Provisioning.GetVmFiles
VirtualMachine.Provisioning.PutVmFiles
VirtualMachine.Provisioning.CloneTemplate
VirtualMachine.Provisioning.Clone
VirtualMachine.Provisioning.Customize
VirtualMachine.Provisioning.DeployTemplate
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
VirtualMachine.Provisioning.ModifyCustSpecs
VirtualMachine.Provisioning.PromoteDisks
VirtualMachine.Provisioning.ReadCustSpecs

Snapshot management

Before Tanzu Operations Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.

Privilege (API)
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.State.RenameSnapshot
VirtualMachine.State.RevertToSnapshot

vApp object

These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.

Privilege (API)
VApp.Import
VApp.ApplicationConfig
check-circle-line exclamation-circle-line close-line
Scroll to top icon