vSphere agent - account for vCac communication

Our vCac setup is built using service accountA and is admin on the vCac servers.

Now, while installing vSphere agents we do not wish to use accountA and instead use a lesser privileged accountB. Both are domain accounts.

what configuration or rights will accountB require on vCac servers and be able to communicate with the repository ?

thanks in advance.

0 Kudos
1 Reply

It differs for each type of agent Proxy or DEM.  I would suggest you simply add the user for the agent to the VCAC Administrator role in the UI and that should cover both cases, that way, they only really have application level security to the API for talking to the services.  Keep in mind this is authorization only, they still need to be able to authenticate with windows security over IIS so the account identity is valid and need to have access to the ports for the repository (for the DEM) and vmps soap endpoint (for the legacy Proxy).

There might be a lower minimum level for specific use cases, but in general both agents require full access to the application API.