Privileges Required for Configuring a vCenter Adapter Instance
To configure your vCenter Adapter instance in
VMware Aria
Operations
, you need sufficient privileges to monitor and collect data and to perform vCenter Server
actions. You can configure these permissions as a single role in vCenter Server
to be used by a single service account or configure them as two independent roles for two separate service accounts. The vCenter Adapter instance monitors and collects data from
vCenter Server
and the vCenter Action adapter performs some actions in vCenter Server
. So, for monitoring or collecting vCenter Server
inventory and their metrics and properties, the vCenter Adapter instance needs credentials with the following privileges activated in vCenter Server.
The vCenter Server System Roles is created as a Read Only role with three system-defined privileges::
System.Anonymous
, System.View
, and System.Read
. See, Using Roles to Assign Privileges.Task | Privilege |
|---|---|
Property Collection | System > Anonymous This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere . |
Objects Discovery Events Collection | Profile-Driven Storage > View Storage views > View Profile-Driven Storage > Profile-Driven Storage View Datastore > Browse Datastore System > View This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere . |
Performance Metrics Collection | Performance > Modify intervals System > Read This privilege is added automatically when you create a user account. However, this privilege is not visible in vSphere . |
Service Discovery | For credential-based service discovery Virtual Machine > Guest Operations > Guest Operation alias modification Virtual Machine > Guest Operations > Guest Operation alias query Virtual Machine > Guest Operations > Guest Operation modifications Virtual Machine > Guest Operations > Guest Operation program execution Virtual Machine > Guest Operations > Guest Operation queries |
For credential-less service discovery Virtual machine > Service configuration > Manage service configurations Virtual machine > Service configuration > Modify service configuration Virtual machine > Service configuration > Query service configurations Virtual machine > Service configuration > Read service configuration | |
VC Plugin | Extension > Register extension Extension > Unregister extension Extension > Update extension |
Orphaned Disk | Datastore > Browse datastore |
Authentication on VMware Aria
Operations using VC User and apply actions | privilege.Global.com.vmware.label > VMware Aria Operations Read Only Role privilege.Global.com.vmware.label > VMware Aria Operations Power User Role |
Optimize Container Schedule Optimize Container Automate Optimize Container |
Privilege required for vCenter version 7.x:
Privilege required for vCenter version 8.x :
|
Provide data to vSphere Predictive DRS | External stats provider > Update External stats provider > Register External stats provider > Unregister vSphere Stats Privileges > Collect Stats Data vSphere Stats Privileges > Modify Stats Configuration vSphere Stats Privileges > Query Stats Data |
Tag Collection | Global > Global tag Global > Global health Global > Manage custom attributes This privilege is required only if the tags are associated with custom attributes. Global > System tag Global > Set custom attribute |
Monitoring and collecting data from vSphere with Tanzu | Administrator Users with Non-Administrator or custom role must be added to the ServiceProviderUser group. Administrator > Single Sign On > Users and Groups > Groups.
The ServiceProviderUsers is a group in the vCenter Server Single Sign-On Domain. Members of this group can manage the vSphere with Tanzu and VMware Cloud on
AWS infrastructure. |
Task | Privilege |
|---|---|
Set CPU Count for VM | Virtual Machine > Configuration > Change CPU Count |
Set CPU Resources for VM | Virtual Machine > Configuration > Change Resource |
Set Memory for VM | Virtual Machine > Configuration > Change Memory |
Set Memory Resources for VM | Virtual Machine > Configuration > Change Resource |
Delete Idle VM | Virtual machine > Edit Inventory > Remove |
Delete Powered Off VM | Virtual machine > Edit Inventory > Remove |
Create Snapshot for VM | Virtual Machine > Snapshot Management > Create Snapshot |
Delete Unused Snapshots for Datastore | Virtual Machine > Snapshot Management > Remove Snapshot |
Delete Unused Snapshot for VM | Virtual Machine > Snapshot Management > Remove Snapshot |
Power Off VM | Virtual Machine > Interaction > Power Off |
Power On VM | Virtual Machine > Interaction > Power On |
Shut Down Guest OS for VM | Virtual Machine > Interaction > Power Off |
Move VM |
Combining these four permissions allows the service account to perform Storage vMotion and regular vMotion of an object therefore allowing VMware Aria
Operations to perform the given operations. |
Set DRS Automation | Host > Inventory > Modify Cluster |
Provide data to vSphere Predictive DRS | External stats provider > Update External stats provider > Register External stats provider > Unregister |
Reboot Guest OS for VM | Virtual machine > Interaction > Reset |
For more information about tasks and privileges, see Required Privileges for Common Tasks in the
vSphere Virtual Machine Administration Guide
and Defined Privileges in the vSphere Security Guide
.