vSphere Service Account Requirements

Page last updated:

This topic describes the minimum privileges required by the vSphere BOSH CPI.

Overview

A vSphere admin must grant minimum privileges to the vSphere service account that Ops Manager uses to manage vSphere resources.

The Ops Manager account needs privileges at both the vCenter server level and the Datacenter level.

The recommended permissions in this topic are configured using the API. UI permissions are not included because they vary between vSphere versions. API permissions are consistent across vSphere versions.

For more information about how permission levels and inheritance work in vSphere, see Hierarchical Inheritance of Permissions in the VMware documentation.

For more information about vSphere permissions, see vSphere Permissions and User Management Tasks in the VMware documentation.

vCenter-Level Privileges

Ops Manager assigns custom attributes to the virtual machines (VMs) it deploys to identify BOSH releases and job index information about each VM. vCenter APIs require vCenter server level access to manage these custom attributes.

The following table summarizes the privileges that an Ops Manager account requires at the vCenter Server instance level. Some of these privileges are inherited, and others must be granted by a vCenter admin:

ObjectPrivilege (API)
Role System.Anonymous
System.Read
System.View
Global Global.ManageCustomFields
Global.SetCustomField
Extension.Register
Profile-Driven Storage StorageProfile.Update
StorageProfile.View

Datacenter-Level Privileges

The following privileges must be set at the data center level:

Object Privilege (API)
Datastore Datastore.FileManagement
Network Network.Assign

Folder and Datastore-Level Privileges

You must grant the following privileges on any entities in a datacenter where you will deploy Ops Manager:

Datastore Object

Privilege (API)
Datastore.AllocateSpace
Datastore.Browse
Datastore.DeleteFile
Datastore.FileManagement

Folder Object

Ops Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Ops Manager applies changes.

Privilege (API)
Folder.Create
Folder.Delete
Folder.Move
Folder.Rename

Host Object

Privilege (API)
Host.Inventory.EditCluster

Inventory Service Object

Privilege (API)
InventoryService.Tagging.CreateTag
InventoryService.Tagging.EditTag
InventoryService.Tagging.DeleteTag

Resource Object

When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Ops Manager deploys the VM and powers it on.

Privilege (API)
Resource.AssignVMToPool
Resource.ColdMigrate
Resource.HotMigrate

Profile-driven Storage Object

Privilege (API)
StorageProfile.Update
StorageProfile.View

Virtual Machine Object

Configuration

Privilege (API)
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.AdvancedConfig
VirtualMachine.Config.CPUCount
VirtualMachine.Config.Resource
VirtualMachine.Config.ManagedBy
VirtualMachine.Config.ChangeTracking
VirtualMachine.Config.DiskLease
VirtualMachine.Config.MksControl
VirtualMachine.Config.DiskExtend
VirtualMachine.Config.Memory
VirtualMachine.Config.EditDevice
VirtualMachine.Config.RawDevice
VirtualMachine.Config.ReloadFromPath
VirtualMachine.Config.RemoveDisk
VirtualMachine.Config.Rename
VirtualMachine.Config.ResetGuestInfo
VirtualMachine.Config.Annotation
VirtualMachine.Config.Settings
VirtualMachine.Config.SwapPlacement
VirtualMachine.Config.UpgradeVirtualHardware

Guest Operations

Privilege (API)
VirtualMachine.GuestOperations.Execute
VirtualMachine.GuestOperations.Modify
VirtualMachine.GuestOperations.Query

Interaction

Privilege (API)
VirtualMachine.Interact.AnswerQuestion
VirtualMachine.Interact.SetCDMedia
VirtualMachine.Interact.ConsoleInteract
VirtualMachine.Interact.DefragmentAllDisks
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Interact.GuestControl
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Interact.Reset
VirtualMachine.Interact.Suspend
VirtualMachine.Interact.ToolsInstall

Inventory

Privilege (API)
VirtualMachine.Inventory.CreateFromExisting
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.Move
VirtualMachine.Inventory.Register
VirtualMachine.Inventory.Delete
VirtualMachine.Inventory.Unregister

Provisioning

When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.

The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.

Privilege (API)
VirtualMachine.Provisioning.DiskRandomAccess
VirtualMachine.Provisioning.DiskRandomRead
VirtualMachine.Provisioning.GetVmFiles
VirtualMachine.Provisioning.PutVmFiles
VirtualMachine.Provisioning.CloneTemplate
VirtualMachine.Provisioning.Clone
VirtualMachine.Provisioning.Customize
VirtualMachine.Provisioning.DeployTemplate
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
VirtualMachine.Provisioning.ModifyCustSpecs
VirtualMachine.Provisioning.PromoteDisks
VirtualMachine.Provisioning.ReadCustSpecs

Snapshot Management

Before Ops Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.

Privilege (API)
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.State.RenameSnapshot
VirtualMachine.State.RevertToSnapshot

vApp Object

These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.

Privilege (API)
VApp.Import
VApp.ApplicationConfig