Before you start working in Cloud Assembly as a cloud administrator, you must gather information about your public and private cloud accounts. Use this checklist to help you begin adding your cloud resources.

Required overall credentials

To... You need...

Sign up for and log in to Cloud Assembly

A VMware ID.

  • Set up a My VMware account by using your corporate email address at VMware Customer Connect.

Connect to vRealize Automation services

HTTPS port 443 open to outgoing traffic with access through the firewall to:
  • *.vmwareidentity.com
  • gaz.csp-vidm-prod.com
  • *.vmware.com

For more information about ports and protocols, see VMware Ports and Protocols.

For more information about ports and protocols, see Port Requirements in the Reference Architecture help.

vCenter cloud account credentials

This section describes the credentials that are required to add a vCenter cloud account.

Privileges are required for the vSphere agent to manage the vCenter Server instance. Provide an account with the following read and write privileges:
  • vCenter IP address or FQDN

The permissions needed to manage VMware Cloud on AWS and vCenter cloud accounts are listed. Permissions must be enabled for all clusters in the vCenter, not just clusters that host endpoints.

To support control of VMware's Virtual Trusted Platform Module (vTPM) when deploying Windows 11 VMs, you must have the cryptographic operations -> direct access privilege in vCenter. Without this privilege, console access from vRealize Automation to Windows 11 VMs is not possible. For related information, see Virtual Trusted Platform Module Overview.

For all vCenter-based cloud accounts - including NSX-V, NSX-T, vCenter, and VMware Cloud on AWS - the administrator must have vSphere endpoint credentials, or the credentials under which the agent service runs in vCenter, that provide administrative access to the host vCenter.

For more information about vSphere agent requirements, see VMware vSphere product documentation.
Setting Selection
Datastore
  • Allocate space
  • Browse datastore
  • Low level file operations
Datastore Cluster
  • Configure a datastore cluster
Folder
  • Create folder
  • Delete folder
Global
  • Manage custom attributes
  • Set custom attribute
Network
  • Assign network
Permissions
  • Modify permission
Resource
  • Assign VM to Res Pool
  • Migrate powered off virtual machine
  • Migrate powered on virtual machine
Profile-driven storage
  • Profile-driven storage view

    To return a list of storage policies that can be mapped to a storage profile, grant the StorageProfile.View privilege to all accounts that connect vRealize Automation to vCenter.

Content Library

To assign a privilege on a content library, an administrator must grant the privilege to the user as a global privilege. For related information, see Hierarchical Inheritance of Permissions for Content Libraries in vSphere Virtual Machine Administration at VMware vSphere Documentation.

  • Add library item
  • Create local library
  • Create subscribed library
  • Delete library item
  • Delete local library
  • Delete subscribed library
  • Download files
  • Evict library item
  • Probe subscription information
  • Read storage
  • Sync library item
  • Sync subscribed library
  • Type introspection
  • Update configuration settings
  • Update files
  • Update library
  • Update library item
  • Update local library
  • Update subscribed library
  • View configuration settings
vSphere Tagging
  • Assign or unassign vSphere tag
  • Assign or unassign vSphere tag on object
  • Create a vSphere tag
  • Create a vSphere tag category
  • Delete vSphere tag
  • Delete vSphere tag category
  • Edit vSphere tag
  • Edit vSphere tag category
  • Modify UsedBy field or category
  • Modify UsedBy field for tag
vApp
  • Import
  • vApp application configuration

    The vApp.Import application configuration is required for OVF templates and to provision VMs from the content library.

    The vApp.vApp application configuration is required when using cloud-init for cloud configuration scripting. This setting allows for modification of a vApp's internal structure, such as its product information and properties.

Virtual Machine - Inventory
  • Create from existing
  • Create new
  • Move
  • Remove
Virtual Machine - Interaction
  • Configure CD media
  • Console interaction
  • Device connection
  • Power off
  • Power on
  • Reset
  • Suspend
  • Tools install
Virtual Machine - Configuration
  • Add existing disk
  • Add new
  • Remove disk
  • Add or remove device
  • Advanced
  • Change CPU count
  • Change resource
  • Extend virtual disk
  • Disk change tracking
  • Memory
  • Modify device settings
  • Rename
  • Set annotation
  • Settings
  • Swapfile placement
Virtual Machine - Provisioning
  • Customize
  • Clone template
  • Clone virtual machine
  • Deploy template
  • Read customization specs
Virtual Machine - State
  • Create snapshot
  • Remove snapshot
  • Revert to snapshot

Amazon Web Services (AWS) cloud account credentials

This section describes the credentials that are required to add a Amazon Web Services cloud account. See the above vCenter cloud account credentials section for addition credential requirements.

Provide a power user account with read and write privileges. The user account must be a member of the power access policy (PowerUserAccess) in the AWS Identity and Access Management (IAM) system.

Enable the 20-digit Access Key ID and corresponding Secret Access Key access.

If you are using an external HTTP Internet proxy, it must be configured for IPv4.

vRealize Automation actions-based extensibility (ABX) and external IPAM integration may require additional permissions.
Setting Selection
Autoscaling actions

The following AWS permissions are suggested to allow autoscaling functions:

  • autoscaling:DescribeAutoScalingInstances
  • autoscaling:AttachInstances
  • autoscaling:DeleteLaunchConfiguration
  • autoscaling:DescribeAutoScalingGroups
  • autoscaling:CreateAutoScalingGroup
  • autoscaling:UpdateAutoScalingGroup
  • autoscaling:DeleteAutoScalingGroup
  • autoscaling:DescribeLoadBalancers
Autoscaling resources

The following permissions are required to allow autoscaling resource permissions:

  • *

    Provide all autoscaling resource permissions.

AWS Security Token Service (AWS STS) resources

The following permissions are required to allow AWS Security Token Service (AWS STS) functions to support temporary, limited-privilege credentials for AWS identity and access:

  • *

    Provide all STS resource permissions.

EC2 actions

The following AWS permissions are required to allow EC2 functions:

  • ec2:AttachVolume
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:DeleteSubnet
  • ec2:DeleteSnapshot
  • ec2:DescribeInstances
  • ec2:DeleteTags
  • ec2:DescribeRegions
  • ec2:DescribeVolumesModifications
  • ec2:CreateVpc
  • ec2:DescribeSnapshots
  • ec2:DescribeInternetGateways
  • ec2:DeleteVolume
  • ec2:DescribeNetworkInterfaces
  • ec2:StartInstances
  • ec2:DescribeAvailabilityZones
  • ec2:CreateInternetGateway
  • ec2:CreateSecurityGroup
  • ec2:DescribeVolumes
  • ec2:CreateSnapshot
  • ec2:ModifyInstanceAttribute
  • ec2:DescribeRouteTables
  • ec2:DescribeInstanceTypes
  • ec2:DescribeInstanceTypeOfferings
  • ec2:DescribeInstanceStatus
  • ec2:DetachVolume
  • ec2:RebootInstances
  • ec2:AuthorizeSecurityGroupEgress
  • ec2:ModifyVolume
  • ec2:TerminateInstances
  • ec2:DescribeSpotFleetRequestHistory
  • ec2:DescribeTags
  • ec2:CreateTags
  • ec2:RunInstances
  • ec2:DescribeNatGateways
  • ec2:StopInstances
  • ec2:DescribeSecurityGroups
  • ec2:CreateVolume
  • ec2:DescribeSpotFleetRequests
  • ec2:DescribeImages
  • ec2:DescribeVpcs
  • ec2:DeleteSecurityGroup
  • ec2:DeleteVpc
  • ec2:CreateSubnet
  • ec2:DescribeSubnets
  • ec2:RequestSpotFleet
    Note: The SpotFleet request permission is not required for vRealize Automation actions-based extensibility (ABX) or external IPAM integrations.
EC2 resources
  • *

    Provide all EC2 resource permissions.

Elastic load balancing - load balancer actions
  • elasticloadbalancing:DeleteLoadBalancer
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:RemoveTags
  • elasticloadbalancing:CreateLoadBalancer
  • elasticloadbalancing:DescribeTags
  • elasticloadbalancing:ConfigureHealthCheck
  • elasticloadbalancing:AddTags
  • elasticloadbalancing:CreateTargetGroup
  • elasticloadbalancing:DeleteLoadBalancerListeners
  • elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  • elasticloadbalancing:RegisterInstancesWithLoadBalancer
  • elasticloadbalancing:CreateLoadBalancerListeners
Elastic load balancing - load balancer resources
  • *

    Provide all load balancer resource permissions.

AWS Identity and Access Management (IAM)
The following AWS Identity and Access Management (IAM) permissions can be enabled, however they are not required:
  • iam:SimulateCustomPolicy
  • iam:GetUser
  • iam:ListUserPolicies
  • iam:GetUserPolicy
  • iam:ListAttachedUserPolicies
  • iam:GetPolicyVersion
  • iam:ListGroupsForUser
  • iam:ListGroupPolicies
  • iam:GetGroupPolicy
  • iam:ListAttachedGroupPolicies
  • iam:ListPolicyVersions

Microsoft Azure cloud account credentials

This section describes the credentials that are required to add a Microsoft Azure cloud account.

Configure a Microsoft Azure instance and obtain a valid Microsoft Azure subscription from which you can use the subscription ID.

Create an Active Directory application as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in Microsoft Azure product documentation.

If you are using an external HTTP Internet proxy, it must be configured for IPv4.

  • General settings
    The following overall settings are required.
    Setting Description
    Subscription ID Allows you to access to your Microsoft Azure subscriptions.
    Tenant ID The authorization endpoint for the Active Directory applications you create in your Microsoft Azure account.
    Client application ID Provides access to Microsoft Active Directory in your Microsoft Azure individual account.
    Client application secret key The unique secret key generated to pair with your client application ID.
  • Settings for creating and validating cloud accounts
    The following permissions are needed for creating and validating Microsoft Azure cloud accounts.
    Setting Selection
    Microsoft Compute
    • Microsoft.Compute/virtualMachines/extensions/write
    • Microsoft.Compute/virtualMachines/extensions/read
    • Microsoft.Compute/virtualMachines/extensions/delete
    • Microsoft.Compute/virtualMachines/deallocate/action
    • Microsoft.Compute/virtualMachines/delete
    • Microsoft.Compute/virtualMachines/powerOff/action
    • Microsoft.Compute/virtualMachines/read
    • Microsoft.Compute/virtualMachines/restart/action
    • Microsoft.Compute/virtualMachines/start/action
    • Microsoft.Compute/virtualMachines/write
    • Microsoft.Compute/availabilitySets/write
    • Microsoft.Compute/availabilitySets/read
    • Microsoft.Compute/availabilitySets/delete
    • Microsoft.Compute/disks/delete
    • Microsoft.Compute/disks/read
    • Microsoft.Compute/disks/write
    Microsoft Network
    • Microsoft.Network/loadBalancers/backendAddressPools/join/action
    • Microsoft.Network/loadBalancers/delete
    • Microsoft.Network/loadBalancers/read
    • Microsoft.Network/loadBalancers/write
    • Microsoft.Network/networkInterfaces/join/action
    • Microsoft.Network/networkInterfaces/read
    • Microsoft.Network/networkInterfaces/write
    • Microsoft.Network/networkInterfaces/delete
    • Microsoft.Network/networkSecurityGroups/join/action
    • Microsoft.Network/networkSecurityGroups/read
    • Microsoft.Network/networkSecurityGroups/write
    • Microsoft.Network/networkSecurityGroups/delete
    • Microsoft.Network/publicIPAddresses/delete
    • Microsoft.Network/publicIPAddresses/join/action
    • Microsoft.Network/publicIPAddresses/read
    • Microsoft.Network/publicIPAddresses/write
    • Microsoft.Network/virtualNetworks/read
    • Microsoft.Network/virtualNetworks/subnets/delete
    • Microsoft.Network/virtualNetworks/subnets/join/action
    • Microsoft.Network/virtualNetworks/subnets/read
    • Microsoft.Network/virtualNetworks/subnets/write
    • Microsoft.Network/virtualNetworks/write
    Microsoft Resources
    • Microsoft.Resources/subscriptions/resourcegroups/delete
    • Microsoft.Resources/subscriptions/resourcegroups/read
    • Microsoft.Resources/subscriptions/resourcegroups/write
    Microsoft Storage
    • Microsoft.Storage/storageAccounts/delete
    • Microsoft.Storage/storageAccounts/read
    • Microsoft.Storage/storageAccounts/write

    • Microsoft.Storage/storageAccounts/listKeys/action is not generally required, but may be needed by users to view storage accounts.

    Microsoft Web
    • Microsoft.Web/sites/read
    • Microsoft.Web/sites/write
    • Microsoft.Web/sites/delete
    • Microsoft.Web/sites/config/read
    • Microsoft.Web/sites/config/write
    • Microsoft.Web/sites/config/list/action
    • Microsoft.Web/sites/publishxml/action
    • Microsoft.Web/serverfarms/write
    • Microsoft.Web/serverfarms/delete
    • Microsoft.Web/sites/hostruntime/functions/keys/read
    • Microsoft.Web/sites/hostruntime/host/read
    • Microsoft.web/sites/functions/masterkey/read
  • Settings for action-based extensibility
    If you are using Microsoft Azure with action-based extensibility, the following permissions are required, in addition to the minimal permissions.
    Setting Selection
    Microsoft Web
    • Microsoft.Web/sites/read
    • Microsoft.Web/sites/write
    • Microsoft.Web/sites/delete
    • Microsoft.Web/sites/*/action
    • Microsoft.Web/sites/config/read
    • Microsoft.Web/sites/config/write
    • Microsoft.Web/sites/config/list/action
    • Microsoft.Web/sites/publishxml/action
    • Microsoft.Web/serverfarms/write
    • Microsoft.Web/serverfarms/delete
    • Microsoft.Web/sites/hostruntime/functions/keys/read
    • Microsoft.Web/sites/hostruntime/host/read
    • Microsoft.Web/sites/functions/masterkey/read
    • Microsoft.Web/apimanagementaccounts/apis/read
    Microsoft Authorization
    • Microsoft.Authorization/roleAssignments/read
    • Microsoft.Authorization/roleAssignments/write
    • Microsoft.Authorization/roleAssignments/delete
    Microsoft Insights
    • Microsoft.Insights/Components/Read
    • Microsoft.Insights/Components/Write
    • Microsoft.Insights/Components/Query/Read

    If the Storage account public access should be disallowed property is assigned to a resource group with effect type Deny, the auto creation of storage accounts for extensibility actions is prevented. In such a scenario, the extensibility actions cannot run if the FaaS provider is set to Auto Select. You must manually set the FaaS provider to Microsoft Azure and configure the storage account and resource group.

  • Settings for action-based extensibility with extensions
    If you are using Microsoft Azure with action-based extensibility with extensions, the following permissions are also required.
    Setting Selection
    Microsoft.Compute
    • Microsoft.Compute/virtualMachines/extensions/write
    • Microsoft.Compute/virtualMachines/extensions/read
    • Microsoft.Compute/virtualMachines/extensions/delete

For related information about creating a Microsoft Azure cloud account, see Configure Microsoft Azure.

Google Cloud Platform (GCP) cloud account credentials

This section describes the credentials that are required to add a Google Cloud Platform cloud account.

The Google Cloud Platform cloud account interacts with the Google Cloud Platform compute engine.

The Project Admin and Owner credentials are required for creating and validating Google Cloud Platform cloud accounts.

If you are using an external HTTP Internet proxy, it must be configured for IPv4.

The compute engine service must be enabled. When creating the cloud account in vRealize Automation, use the service account that was created when the compute engine was initialized.

The following compute engine permissions are also needed, depending on the actions that the user can take.
Setting Selection

roles/compute.admin

Provides full control of all compute engine resources.

roles/iam.serviceAccountUse

Provides access to users who manage virtual machine instances that are configured to run as a service account. Grant access to the following resources and services:

  • compute.*
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

roles/compute.imageUser

Provides permission to list and read images without having other permissions on the image. Granting the compute.imageUser role at the project level gives users the ability to list all images in the project. It also allows users to create resources, such as instances and persistent disks, based on images in the project.

  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

roles/compute.instanceAdmin

Provides permissions to create, modify, and delete virtual machine instances. This includes permissions to create, modify, and delete disks, and also to configure shielded VMBETA settings.

For users that manage virtual machine instances (but not network or security settings or instances that run as service accounts), grant this role to the organization, folder, or project that contains the instances, or to the individual instances.

Users that manage virtual machine instances that are configured to run as a service account also need the roles/iam.serviceAccountUser role.

  • compute.acceleratorTypes
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers
  • compute.diskTypes
  • compute.disks.create
  • compute.disks.createSnapshot
  • compute.disks.delete
  • compute.disks.get
  • compute.disks.list
  • compute.disks.resize
  • compute.disks.setLabels
  • compute.disks.update
  • compute.disks.use
  • compute.disks.useReadOnly
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.getFromFamily
  • compute.images.list
  • compute.images.useReadOnly
  • compute.instanceGroupManagers
  • compute.instanceGroups
  • compute.instanceTemplates
  • compute.instances
  • compute.licenses.get
  • compute.licenses.list
  • compute.machineTypes
  • compute.networkEndpointGroups
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions
  • compute.reservations.get
  • compute.reservations.list
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

roles/compute.instanceAdmin.v1

Provides full control of compute engine instances, instance groups, disks, snapshots, and images. Also provides read access to all compute engine networking resources.
Note: If you grant a user this role at the instance level, that user cannot create new instances.
  • compute.acceleratorTypes
  • compute.addresses.get
  • compute.addresses.list
  • compute.addresses.use
  • compute.autoscalers
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.diskTypes
  • compute.disks
  • compute.firewalls.get
  • compute.firewalls.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalAddresses.get
  • compute.globalAddresses.list
  • compute.globalAddresses.use
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalOperations.get
  • compute.globalOperations.list
  • compute.healthChecks.get
  • compute.healthChecks.list
  • compute.httpHealthChecks.get
  • compute.httpHealthChecks.list
  • compute.httpsHealthChecks.get
  • compute.httpsHealthChecks.list
  • compute.images
  • compute.instanceGroupManagers
  • compute.instanceGroups
  • compute.instanceTemplates
  • compute.instances
  • compute.interconnectAttachments.get
  • compute.interconnectAttachments.list
  • compute.interconnectLocations
  • compute.interconnects.get
  • compute.interconnects.list
  • compute.licenseCodes
  • compute.licenses
  • compute.machineTypes
  • compute.networkEndpointGroups
  • compute.networks.get
  • compute.networks.list
  • compute.networks.use
  • compute.networks.useExternalIp
  • compute.projects.get
  • compute.projects.setCommonInstanceMetadata
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionOperations.get
  • compute.regionOperations.list
  • compute.regions
  • compute.reservations.get
  • compute.reservations.list
  • compute.resourcePolicies
  • compute.routers.get
  • compute.routers.list
  • compute.routes.get
  • compute.routes.list
  • compute.snapshots
  • compute.sslCertificates.get
  • compute.sslCertificates.list
  • compute.sslPolicies.get
  • compute.sslPolicies.list
  • compute.sslPolicies.listAvailableFeatures
  • compute.subnetworks.get
  • compute.subnetworks.list
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetInstances.get
  • compute.targetInstances.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.targetVpnGateways.get
  • compute.targetVpnGateways.list
  • compute.urlMaps.get
  • compute.urlMaps.list
  • compute.vpnTunnels.get
  • compute.vpnTunnels.list
  • compute.zoneOperations.get
  • compute.zoneOperations.list
  • compute.zones
  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list

NSX-T cloud account credentials

This section describes the credentials that are required to add an NSX-T cloud account.

Provide an account with the following read and write privileges.
  • NSX-T IP address or FQDN
  • NSX-T Data Center - Enterprise Administrator role and access credentials

The auditor role is required.

Enable the following minimum privileges based on requirements and features.
Category/Subcategory Permission
Networking - Tier-0 Gateways Read-only
Networking - Tier-0 Gateways -> OSPF None
Networking - Tier-1 Gateways Full Access
Networking - Segments Full Access
Networking - VPN None
Networking - NAT Full Access
Networking - Load Balancing Full Access
Networking - Forwarding Policy None
Networking - Statistics None
Networking - DNS None
Networking - DHCP Full Access
Networking - IP Address Pools None
Networking - Profiles Read-only
Security - Threat Detection & Response None
Security - Distributed Firewall Full Access
Security - IDS/IPS & Malware Prevention None
Security - TLS Inspection None
Security - Identity Firewall None
Security - Gateway Firewall None
Security - Service Chain Management None
Security - Firewall Time Window None
Security - Profiles None
Security - Service Profiles None
Security - Firewall Settings Full Access
Security - Gateway Security Settings None
Inventory Full Access
Troubleshooting None
System None

Administrators also require access to the vCenter as described in the vCenter cloud account credentials section of this topic.

NSX-V cloud account credentials

This section describes the credentials that are required to add an NSX-V cloud account.

Provide an account with the following read and write privileges:
  • NSX-V Enterprise Administrator role and access credentials
  • NSX-V IP address or FQDN

Administrators also require access to the vCenter as described in the Add a vCenter cloud account section of this table.

VMware Cloud Director (vCD) cloud account credentials

This section describes the credentials that are required to add a VMware Cloud Director (vCD) cloud account.

Creating a VMware Cloud Director cloud account in vRealize Automation requires that you provide account credentials for a VMware Cloud Director user with the Organization Administrator role. Specifically, the following subset of the Organization Administrator role, available in VMware Cloud Director, is needed for creating and validating VMware Cloud Director cloud accounts in vRealize Automation:
Setting Selection
Access All Organization vDCs All
Catalog
  • Add vApp from My Cloud
  • View Private and Shared Catalogs
  • View Published Catalogs
General
  • Administrator Control
  • Administrator View
Metadata File Entry Create/Modify
Organization Network
  • Edit Properties
  • View
Organization vDC Gateway
  • View
  • Edit Properties
  • View Properties
Organization vDC
  • View
  • View CPU and Memory Reservation
Organization
  • Edit Properties
  • View
Quota Policy Capabilities View
VDC Template
  • Instantiate
  • View
vApp Template / Media
  • Copy
  • Create/Upload
  • Edit
  • View
  • VAPP_VM_METADATA_TO_VCENTER
vApp Template
  • Change Owner
  • Checkout
  • Download
vApp
  • Change Owner
  • Copy
  • Create / Reconfigure
  • Delete
  • Download
  • Edit Properties
  • Edit VM CPU
  • Edit VM CPU and Memory reservation settings in all VDC types
  • Edit VM Hard Disk
  • Edit VM Memory
  • Edit VM Network
  • Edit VM Properties
  • Manage VM Password Settings
  • Power Operations
  • Sharing
  • Snapshot Operations
  • Upload
  • Use Console
  • VM Boot Options
  • View ACL
  • View VM metrics
vDC Group
  • Configure
  • Configure Logging
  • View
Creating and using a VMware Cloud Director cloud account in vRealize Automation is not supported if vRealize Automation has FIPS enabled.

vRealize Operations Manager integration credentials

This section describes the credentials that are required to integrate with vRealize Operations Manager. Note that these credentials are established and configured in vRealize Operations Manager, not in vRealize Automation.

Provide a local or non-local login account to vRealize Operations Manager with the following read privileges.

  • Adapter Instance vCenter Adapter > VC Adapter Instance for vCenter-FQDN

A non-local account might need to be imported first, before you can assign its read-only role.

NSX integration with Microsoft Azure VMware Solution (AVS) for vRealize Automation

For information about connecting NSX running on Microsoft Azure VMware Solution (AVS) to vRealize Automation, including configuring custom roles, see NSX-T Data Center cloudadmin user permissions in Microsoft product documentation.