To configure your vCenter Adapter instance in vRealize Operations, you need sufficient privileges to monitor and collect data and to perform vCenter Server actions. You can configure these permissions as a single role in vCenter Server to be used by a single service account or configure them as two independent roles for two separate service accounts.
| Task | Privilege |
|---|---|
| Property Collection |
System > Anonymous
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in
vSphere.
|
| Objects Discovery Events Collection |
Profile-Driven Storage > View Storage views > View Profile-Driven Storage > Profile-Driven Storage View Datastore > Browse Datastore
System > View
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in
vSphere.
|
| Performance Metrics Collection | Performance > Modify intervals
System > Read
Note: This privilege is added automatically when you create a user account. However, this privilege is not visible in
vSphere.
|
| Service Discovery | For credential-based service discovery Virtual Machine > Guest Operations > Guest Operation alias modificationVirtual Machine > Guest Operations > Guest Operation alias query Virtual Machine > Guest Operations > Guest Operation modifications Virtual Machine > Guest Operations > Guest Operation program execution Virtual Machine > Guest Operations > Guest Operation queries |
For credential-less service discovery Virtual machine > Service configuration > Manage service configurationsVirtual machine > Service configuration > Modify service configuration Virtual machine > Service configuration > Query service configurations Virtual machine > Service configuration > Read service configuration |
|
| VC Plugin | Extension > Register extension Extension > Unregister extension Extension > Update extension |
| Orphaned Disk | Datastore > Browse datastore |
| Authentication on vRealize Operations using VC User and apply actions | privilege.Global.com.vmware.label > vRealize Operations Read Only Role privilege.Global.com.vmware.label > vRealize Operations Power User Role |
| Reboot Guest OS for VM | Virtual machine > Interaction > Reset |
| Optimize Container | Resource > Assign Virtual Machine to Resource Pool Resource > Migrate Powered Off Virtual Machine Resource > Migrate Powered On Virtual Machine Datastore > Allocate Space Virtual machine -> Edit Inventory > Move |
| Schedule Optimize Container | Resource > Assign Virtual Machine to Resource Pool Resource > Migrate Powered Off Virtual Machine Resource > Migrate Powered On Virtual Machine Datastore > Allocate Space Virtual machine -> Edit Inventory > Move |
| Provide data to vSphere Predictive DRS | External stats provider > Update External stats provider > Register External stats provider > Unregister vSphere Stats Privileges > Collect Stats Data vSphere Stats Privileges > Modify Stats Configuration vSphere Stats Privileges > Query Stats Data |
| Tag Collection | Global > Global tag Global > Global health
Global > Manage custom attributes
Note: This privilege is required only if the tags are associated with custom attributes.
Global > System tag Global > Set custom attribute |
| Monitoring and collecting data from vSphere with Tanzu | Administrator
Note: Users with Non-Administrator or custom role must be added to the
ServiceProviderUser group.
Administrator > Single Sign On > Users and Groups > Groups.
The ServiceProviderUsers is a group in the
vCenter Server Single Sign-On Domain. Members of this group can manage the
vSphere with Tanzu and
VMware Cloud on AWS infrastructure.
|
| Task | Privilege |
|---|---|
| Set CPU Count for VM | Virtual Machine > Configuration > Change CPU Count |
| Set CPU Resources for VM | Virtual Machine > Configuration > Change Resource |
| Set Memory for VM | Virtual Machine > Configuration > Change Memory |
| Set Memory Resources for VM | Virtual Machine > Configuration > Change Resource |
| Delete Idle VM | Virtual machine > Edit Inventory > Remove |
| Delete Powered Off VM | Virtual machine > Edit Inventory > Remove |
| Create Snapshot for VM | Virtual Machine > Snapshot Management > Create Snapshot |
| Delete Unused Snapshots for Datastore | Virtual Machine > Snapshot Management > Remove Snapshot |
| Delete Unused Snapshot for VM | Virtual Machine > Snapshot Management > Remove Snapshot |
| Power Off VM | Virtual Machine > Interaction > Power Off |
| Power On VM | Virtual Machine > Interaction > Power On |
| Shut Down Guest OS for VM | Virtual Machine > Interaction > Power Off |
| Move VM |
Note: Combining these four permissions allows the service account to perform Storage vMotion and regular vMotion of an object therefore allowing
vRealize Operations to perform the given operations.
|
| Optimize Container |
|
| Schedule Optimize Container |
|
| Set DRS Automation | Host > Inventory > Modify Cluster |
| Provide data to vSphere Predictive DRS | External stats provider > Update External stats provider > Register External stats provider > Unregister |
For more information about tasks and privileges, see Required Privileges for Common Tasks in the vSphere Virtual Machine Administration Guide and Defined Privileges in the vSphere Security Guide.
