To configure your vCenter Adapter instance in vRealize Operations Cloud, you need sufficient privileges to monitor and collect data and to perform vCenter Server actions. You can configure these permissions as a single role in vCenter Server to be used by a single service account or configure them as two independent roles for two separate service accounts.
The vCenter Adapter instance monitors and collects data from vCenter Server and the vCenter Action adapter performs some actions in vCenter Server. So, for monitoring or collecting vCenter Server inventory and their metrics and properties, the vCenter Adapter instance needs credentials with the following privileges enabled in vCenter Server.
| Task | Privilege |
|---|---|
| Property Collection |
System > Anonymous
Note: When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges:
System.Anonymous,
System.View, and
System.Read. See,
Using Roles to Assign Privileges .
|
| Objects Discovery Events Collection |
Profile-Driven Storage > View Storage views > View Profile-Driven Storage > Profile-Driven Storage View Datastore > Browse Datastore
System > View
Note: This permission is provided with the Read-Only role.
|
| Performance Metrics Collection | Performance > Modify intervals
System > Read
Note: This permission is provided with the Read-Only role.
|
| Service Discovery | Virtual Machine > Guest Operations > Guest Operation alias modification Virtual Machine > Guest Operations > Guest Operation alias query Virtual Machine > Guest Operations > Guest Operation modifications Virtual Machine > Guest Operations > Guest Operation program execution Virtual Machine > Guest Operations > Guest Operation queries |
| Tag Collection | Global > Global tag Global > Global health
Global > Manage custom attributes
Note: This privilege is required only if the tags are associated with custom attributes.
Global > System tag Global > Set custom attribute |
| Monitor the Namespace Resource Pool or objects in the Resource Pool. | The account for the adapter instance also needs to be a member of Administrators@vsphere.local on the vCenter Server. |
| Task | Privilege |
|---|---|
| Set CPU Count for VM | Virtual Machine > Configuration > Change CPU Count |
| Set CPU Resources for VM | Virtual Machine > Configuration > Change Resource |
| Set Memory for VM | Virtual Machine > Configuration > Change Memory |
| Set Memory Resources for VM | Virtual Machine > Configuration > Change Resource |
| Delete Idle VM | Virtual machine > Edit Inventory > Remove |
| Delete Powered Off VM | Virtual machine > Edit Inventory > Remove |
| Create Snapshot for VM | Virtual Machine > Snapshot Management > Create Snapshot |
| Delete Unused Snapshots for Datastore | Virtual Machine > Snapshot Management > Remove Snapshot |
| Delete Unused Snapshot for VM | Virtual Machine > Snapshot Management > Remove Snapshot |
| Power Off VM | Virtual Machine > Interaction > Power Off |
| Power On VM | Virtual Machine > Interaction > Power On |
| Shut Down Guest OS for VM | Virtual Machine > Interaction > Power Off |
| Move VM |
Note: Combining these four permissions allows the service account to perform Storage vMotion and regular vMotion of an object therefore allowing
vRealize Operations Cloud to perform the given operations.
|
| Optimize Container |
|
| Schedule Optimize Container |
|
| Set DRS Automation | Host > Inventory > Modify Cluster |
| Provide data to vSphere Predictive DRS | External stats provider > Update External stats provider > Register External stats provider > Unregister |
For more information about tasks and privileges, see Required Privileges for Common Tasks in the vSphere Virtual Machine Administration Guide and Defined Privileges in the vSphere Security Guide.
