This topic describes the minimum privileges required by the vSphere BOSH CPI.
Overview of vSphere service account requirements
A vSphere admin must grant minimum privileges to the vSphere service account that VMware Tanzu Operations Manager uses to manage vSphere resources.
The Tanzu Operations Manager account needs privileges at both the vCenter server level and the Datacenter level.
The recommended permissions in this topic are configured using the API. UI permissions are not included because they vary between vSphere versions. API permissions are consistent across vSphere versions.
For more information about how permission levels and inheritance work in vSphere, see Hierarchical inheritance of permissions in the VMware documentation.
For more information about vSphere permissions, see vSphere permissions and user management tasks in the VMware documentation.
vCenter-level privileges
Tanzu Operations Manager assigns custom attributes to the virtual machines (VMs) it deploys to identify BOSH releases and job index information about each VM. vCenter APIs require vCenter server level access to manage these custom attributes.
The following table summarizes the privileges that a Tanzu Operations Manager account requires at the vCenter Server instance level. Some of these privileges are inherited, and others must be granted by a vCenter admin:
| Object | Privilege (API) |
|---|---|
| Role | System.Anonymous |
| System.Read | |
| System.View | |
| Global | Global.ManageCustomFields |
| Global.SetCustomField | |
| Extension.Register | |
| Profile-Driven Storage | StorageProfile.Update |
| StorageProfile.View |
Datacenter-level privileges
The following privileges must be set at the data center level:
| Object | Privilege (API) |
|---|---|
| Datastore | Datastore.FileManagement |
| Network | Network.Assign |
Folder and datastore-level privileges
You must grant the following privileges on any entities in a datacenter where you deploy Tanzu Operations Manager:
Datastore object
| Privilege (API) |
|---|
| Datastore.AllocateSpace |
| Datastore.Browse |
| Datastore.DeleteFile |
| Datastore.FileManagement |
Folder object
Tanzu Operations Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Tanzu Operations Manager applies changes.
| Privilege (API) |
|---|
| Folder.Create |
| Folder.Delete |
| Folder.Move |
| Folder.Rename |
Host object
| Privilege (API) |
|---|
| Host.Inventory.EditCluster |
| Host.Config.SystemManagement (Required if using a vSAN with encryption enabled) |
Inventory service object
| Privilege (API) |
|---|
| InventoryService.Tagging.CreateTag |
| InventoryService.Tagging.EditTag |
| InventoryService.Tagging.DeleteTag |
Resource object
When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Tanzu Operations Manager deploys the VM and powers it on.
| Privilege (API) |
|---|
| Resource.AssignVMToPool |
| Resource.ColdMigrate |
| Resource.HotMigrate |
Profile-driven storage object
| Privilege (API) |
|---|
| StorageProfile.Update |
| StorageProfile.View |
Virtual Machine object
See the following tables, describing Virtual Machines under the following categories:
- Configuration
- Guest Operations
- Interaction
- Inventory
- Provisioning
- Snapshot Management
Configuration
| Privilege (API) |
|---|
| VirtualMachine.Config.AddExistingDisk |
| VirtualMachine.Config.AddNewDisk |
| VirtualMachine.Config.AddRemoveDevice |
| VirtualMachine.Config.AdvancedConfig |
| VirtualMachine.Config.CPUCount |
| VirtualMachine.Config.Resource |
| VirtualMachine.Config.ManagedBy |
| VirtualMachine.Config.ChangeTracking |
| VirtualMachine.Config.DiskLease |
| VirtualMachine.Config.MksControl |
| VirtualMachine.Config.DiskExtend |
| VirtualMachine.Config.Memory |
| VirtualMachine.Config.EditDevice |
| VirtualMachine.Config.RawDevice |
| VirtualMachine.Config.ReloadFromPath |
| VirtualMachine.Config.RemoveDisk |
| VirtualMachine.Config.Rename |
| VirtualMachine.Config.ResetGuestInfo |
| VirtualMachine.Config.Annotation |
| VirtualMachine.Config.Settings |
| VirtualMachine.Config.SwapPlacement |
| VirtualMachine.Config.UpgradeVirtualHardware |
Guest operations
| Privilege (API) |
|---|
| VirtualMachine.GuestOperations.Execute |
| VirtualMachine.GuestOperations.Modify |
| VirtualMachine.GuestOperations.Query |
Interaction
| Privilege (API) |
|---|
| VirtualMachine.Interact.AnswerQuestion |
| VirtualMachine.Interact.SetCDMedia |
| VirtualMachine.Interact.ConsoleInteract |
| VirtualMachine.Interact.DefragmentAllDisks |
| VirtualMachine.Interact.DeviceConnection |
| VirtualMachine.Interact.GuestControl |
| VirtualMachine.Interact.PowerOff |
| VirtualMachine.Interact.PowerOn |
| VirtualMachine.Interact.Reset |
| VirtualMachine.Interact.Suspend |
| VirtualMachine.Interact.ToolsInstall |
Inventory
| Privilege (API) |
|---|
| VirtualMachine.Inventory.CreateFromExisting |
| VirtualMachine.Inventory.Create |
| VirtualMachine.Inventory.Move |
| VirtualMachine.Inventory.Register |
| VirtualMachine.Inventory.Delete |
| VirtualMachine.Inventory.Unregister |
Provisioning
When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.
The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.
| Privilege (API) |
|---|
| VirtualMachine.Provisioning.DiskRandomAccess |
| VirtualMachine.Provisioning.DiskRandomRead |
| VirtualMachine.Provisioning.GetVmFiles |
| VirtualMachine.Provisioning.PutVmFiles |
| VirtualMachine.Provisioning.CloneTemplate |
| VirtualMachine.Provisioning.Clone |
| VirtualMachine.Provisioning.Customize |
| VirtualMachine.Provisioning.DeployTemplate |
| VirtualMachine.Provisioning.MarkAsTemplate |
| VirtualMachine.Provisioning.MarkAsVM |
| VirtualMachine.Provisioning.ModifyCustSpecs |
| VirtualMachine.Provisioning.PromoteDisks |
| VirtualMachine.Provisioning.ReadCustSpecs |
Snapshot management
Before Tanzu Operations Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.
| Privilege (API) |
|---|
| VirtualMachine.State.CreateSnapshot |
| VirtualMachine.State.RemoveSnapshot |
| VirtualMachine.State.RenameSnapshot |
| VirtualMachine.State.RevertToSnapshot |
vApp object
These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.
| Privilege (API) |
|---|
| VApp.Import |
| VApp.ApplicationConfig |
