LATEST VERSION: 2.6 - RELEASE NOTES
Ops Manager v2.1

vSphere Service Account Requirements

Page last updated:

This topic describes the minimum privileges required by the vSphere BOSH CPI. A vSphere admin must grant the following privileges to the vSphere service account that Pivotal Cloud Foundry (PCF) uses to manage vSphere resources.

The PCF account needs privileges at both the vCenter server level and the Datacenter level. See Hierarchical Inheritance of Permissions in the VMware documentation for how permission levels and inheritance work in vSphere.

vCenter-Level Privileges

Ops Manager assigns custom attributes to the virtual machines (VMs) it deploys to identify BOSH releases and job index information about each VM. vCenter APIs require vCenter server level access to manage these custom attributes.

The following table summarizes the privileges that a PCF account requires at the vCenter Server instance level. Some of these privileges are inherited, and others must be granted by a vCenter admin:

ObjectPrivilege (UI)Privilege (API)
RoleRead-onlySystem.Anonymous
System.Read
System.View
GlobalManage custom attributesGlobal.ManageCustomFields
Register ExtensionsExtension.Register
Profile-Driven Storage Profile-driven Storage StorageProfile.Update
StorageProfile.View

Datacenter-Level Privileges

The following privileges must be set at the data center level:

Object Privilege (UI) Privilege (API)
Datastore Low level file operations Datastore.FileManagement
Network Assign network Network.Assign

Folder and Datastore-Level Privileges

You must grant the following privileges on any entities in a datacenter where you will deploy PCF:

Datastore Object

Privilege (UI)Privilege (API)
Allocate spaceDatastore.AllocateSpace
Browse datastoreDatastore.Browse
Remove fileDatastore.DeleteFile
Update virtual machine filesDatastore.UpdateVirtualMachineFiles

Folder Object

Ops Manager creates a folder for VMs, stemcells, and persistent disks during installation. The folder contents change frequently as Ops Manager applies changes.

Privilege (UI) Privilege (API)
Delete folder Folder.Delete
Create folderFolder.Create
Move folderFolder.Move
Rename folderFolder.Rename

Inventory Service Object

Privilege (UI) Privilege (API)
vSphere Tagging > Create vSphere Tag InventoryService.Tagging.CreateTag
vSphere Tagging > Delete vSphere Tag InventoryService.Tagging.EditTag
vSphere Tagging > Edit vSphere Tag InventoryService.Tagging.DeleteTag

Resource Object

When using vAppImport to clone a VM, BOSH requires the resource migration privileges to create a new, powered-off VM based on a given stemcell. BOSH migrates the VM to the destination datastore, where Ops Manager deploys the VM and powers it on.

Privilege (UI) Privilege (API)
Assign virtual machine to resource poolResource.AssignVMToPool
Migrate powered off virtual machineResource.ColdMigrate
Migrate powered on virtual machineResource.HotMigrate

Virtual Machine Object

Configuration

Privilege (UI) Privilege (API)
Add existing diskVirtualMachine.Config.AddExistingDisk
Add new diskVirtualMachine.Config.AddNewDisk
Add or remove deviceVirtualMachine.Config.AddRemoveDevice
AdvancedVirtualMachine.Config.AdvancedConfig
Change CPU countVirtualMachine.Config.CPUCount
Change resourceVirtualMachine.Config.Resource
Configure managedByVirtualMachine.Config.ManagedBy
Disk change trackingVirtualMachine.Config.ChangeTracking
Disk leaseVirtualMachine.Config.DiskLease
Display connection settingsVirtualMachine.Config.MksControl
Extend virtual diskVirtualMachine.Config.DiskExtend
MemoryVirtualMachine.Config.Memory
Modify device settingsVirtualMachine.Config.EditDevice
Raw deviceVirtualMachine.Config.RawDevice
Reload from pathVirtualMachine.Config.ReloadFromPath
Remove diskVirtualMachine.Config.RemoveDisk
RenameVirtualMachine.Config.Rename
Reset guest informationVirtualMachine.Config.ResetGuestInfo
Set annotationVirtualMachine.Config.Annotation
SettingsVirtualMachine.Config.Settings
Swapfile placementVirtualMachine.Config.SwapPlacement
Unlock virtual machineVirtualMachine.Config.Unlock
Upgrade virtual machine hardwareVirtualMachine.Config.UpgradeVirtualHardware

Guest Operations

Privilege (UI) Privilege (API)
Guest Operation Program ExecutionVirtualMachine.GuestOperations.Execute
Guest Operation ModificationsVirtualMachine.GuestOperations.Modify
Guest Operation QueriesVirtualMachine.GuestOperations.Query

Interaction

Privilege (UI) Privilege (API)
Answer questionVirtualMachine.Interact.AnswerQuestion
Configure CD mediaVirtualMachine.Interact.SetCDMedia
Device connectionVirtualMachine.Interact.DeviceConnection
Guest operating system management by VIX APIVirtualMachine.Interact.GuestControl
Power offVirtualMachine.Interact.PowerOff
Power onVirtualMachine.Interact.PowerOn
ResetVirtualMachine.Interact.Reset
SuspendVirtualMachine.Interact.Suspend
VMware Tools installVirtualMachine.Interact.ToolsInstall

Inventory

Privilege (UI) Privilege (API)
Create from existingVirtualMachine.Inventory.CreateFromExisting
Create newVirtualMachine.Inventory.Create
MoveVirtualMachine.Inventory.Move
RemoveVirtualMachine.Inventory.Delete

Provisioning

When cloning a stemcell, BOSH sets custom specifications, such as hostnames and network configurations, based on the stemcell operating system.

The VM download privilege allows BOSH to modify files within a VM, including links between VMs and persistent disks. When vMotion migrates disks in vSphere, BOSH uses these links to maintain the connections between VMs and their persistent disks.

Privilege (UI) Privilege (API)
Allow disk accessVirtualMachine.Provisioning.DiskRandomAccess
Allow read-only disk accessVirtualMachine.Provisioning.DiskRandomRead
Allow virtual machine downloadVirtualMachine.Provisioning.GetVmFiles
Allow virtual machine files uploadVirtualMachine.Provisioning.PutVmFiles
Clone templateVirtualMachine.Provisioning.CloneTemplate
Clone virtual machineVirtualMachine.Provisioning.Clone
CustomizeVirtualMachine.Provisioning.Customize
Deploy templateVirtualMachine.Provisioning.DeployTemplate
Mark as templateVirtualMachine.Provisioning.MarkAsTemplate
Mark as virtual machineVirtualMachine.Provisioning.MarkAsVM
Modify customization specificationVirtualMachine.Provisioning.ModifyCustSpecs
Promote disksVirtualMachine.Provisioning.PromoteDisks
Read customization specificationsVirtualMachine.Provisioning.ReadCustSpecs

Snapshot Management

Before Ops Manager deploys a new VM, it uses a snapshot to clone the stemcell image to the destination.

Privilege (UI) Privilege (API)
Create snapshotVirtualMachine.State.CreateSnapshot
Remove snapshotVirtualMachine.State.RemoveSnapshot
Rename snapshotVirtualMachine.State.RenameSnapshot
Revert snapshotVirtualMachine.State.RevertToSnapshot

vApp Object

These privileges must be set at the resource pool level. VApp.ApplicationConfig is required when attaching or detaching persistent disks.

Privilege (UI)Privilege (API)
ImportVApp.Import
vApp application configurationVApp.ApplicationConfig
Create a pull request or raise an issue on the source for this page in GitHub