VMware recommends that you apply the principle of least privilege to any agent-like software or automated application that uses the credential store in a production environment. Give user accounts the minimal number of privileges on the system that they require to do their jobs.

Specify roles and users as follows:

Procedure

  1. For each SDK-based application, use one specific role, newly created or predefined, that has appropriate privileges.

    For example, if you are developing an agent-like application to automatically start the VMware Consolidated Backup utility, you might use the “VMware Consolidated Backup Utility” role (roleID 7).

    If no predefined user role that meets the needs of your application exists, create a role with only those privileges needed for the application. See Using Roles to Consolidate Sets of Privileges for more information about roles.

  2. Create a user account for use with the agent or application.
  3. Apply the role created in Step 1 to the user account created in Step 2.
  4. Store the user account and password in the credential store, using the CredentialStoreAdministration tool.

    Never grant administrator privileges to a user account associated with an automated script or software agent, especially one that uses the credential store.