Thanks for the reply Abhilash. Looks like I am missing something. Could you please help with the exact steps ?

Here are the steps that i have followed:-

1. Created a local user using vCenter Client (Via Local Users & Groups section )

2. This can not be added to a group since it's not supported from 5.1 onwards i suppose ?

3. Now created a role using vSphere Web client by selecting the  CIM interactions

4. Using Webclient, Traverse to Manage --> Permissions. Add Permission. But "Users & Groups" dont list user created in 1st step!

Do you follow this procedure to assign a role for a specific user ?

Hi krishnaprasad,

Sure i can help you.

Here's what you are doing. You are logging into the host directly and creating a local user. And you are trying to add that user to vcenter permissions. The "local" user that you created on the host is local to your host and will not appear in vCenter. It can only be assigned when you log into the host directly using vSphere client.

Do this.

Go to your vCenter roles, Create a role with just CIM Interactions.

I hope you have a domain mapped to your vCenter. So create user on the AD as CIM-user.

Now click on vCenter and go to permissions, Click Add permission. Import this user CIM-User with the CIM Interactions role and click ok.

Now the user will be able to do the CIM tasks on each host.

Thanks for the help. I don't have an AD domain created. So i guess I dont have any other option to use a local user ( loca to ESXi ) for CIM Interactions right ?

You can create a local user in SSO-domainn and map him to this role.

This will help you for that.

VMware vSphere 5.1

If you found my answer useful, consider awarding points by choosing correct and helpful answers

THanks Again. I created a user and added permission. Infact i had given full permission. But I can't login using this newly created user via wbemcli (opensource CIM Management tool) or vSphere Client. Here are the steps followed

1. From Webclient, Traversed to Administration --> Access. Under "SSO Users and Groups" --> Users tab --> Created a user

2. Traversed to Groups tab under the same section and added the user. Here the domain of the user is showed as "System-Domain". Where as for root it showed 'localos'.

3. From Role Manager section, Created a new Role with just CIM access ( tried Full access as well)

4. From ESXi host connected to webclient, traversed to 'Manage' --> Permissions, Added the new user and assigned the newly created role. Save the changes

5. Try connecting from vSphere client using the user shows "incorrect user name / password".

Any steps missing? Appreciate your help!

ok. I think I understood the problem. The SSO user created is specific to the vCenter and the specific ESXi host dont have any information about this user. My requirement is little different. I need to communicate to ESXi host directly using non root user with out using vCenter. Is that possible? As you may know, there is an opensource tool available wbemcli (http://pic.dhe.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.idarc00/wbemcli.htm) which can communicate with ESXi CIMOM/SFCB by talking to port 5989. Using root user, I am able to communicate remotely. I want to know if its possible using non root user ( local to ESXi ).

Ok now we are back to square one. You need to create users on each host and link it to wbemcli right?

Now login into every host that you want to link to wbemcli using vSphere client,

Go to roles and create a new role with just CIM interactions.

Then go to local users and groups and create a new user.

Click on the host, go to permissions tab and add this user there with the CIM role.

you need to do it on all hosts.

And then you can link these accounts to wbemcli and use it. the users will loaclly work. I have tried that as i mentioned in my first comment.

Let me know if you any more help

I did that ! But unless, I give the "administrator" role to the newly created user OR /etc/security/access.conf is modified, it says "Invalid user/password". Let's say if I create a new role by just selecting Host --> CIM --> CIM Interactions. From the permissions tab, assigned the new role to the new user created. However wbemcli showed invalid username/password. If the user is assigned with "Administrator" role, it works fine as expected.

I also see that when /etc/security/access.conf is modified from '-' to '+' for the specific user, wbemcli started working for this user.  I dont think /etc/security/access.conf editing is supposed to be done manually. Anything missing here ?

When access.conf is not modified

~# wbemcli -dx ec -noverify https://<user>:<password@<ESXi IP>/root/cimv2

To server: <?xml version="1.0" encoding="utf-8" ?>

<CIM CIMVERSION="2.0" DTDVERSION="2.0">

<MESSAGE ID="4711" PROTOCOLVERSION="1.0"><SIMPLEREQ><IMETHODCALL NAME="EnumerateClasses"><LOCALNAMESPACEPATH><NAMESPACE NAME="root"></NAMESPACE><NAMESPACE NAME="cimv2"></NAMESPACE></LOCALNAMESPACEPATH>

<IPARAMVALUE NAME="DeepInheritance"><VALUE>TRUE</VALUE></IPARAMVALUE>

<IPARAMVALUE NAME="LocalOnly"><VALUE>FALSE</VALUE></IPARAMVALUE>

<IPARAMVALUE NAME="IncludeQualifiers"><VALUE>FALSE</VALUE></IPARAMVALUE>

<IPARAMVALUE NAME="IncludeClassOrigin"><VALUE>TRUE</VALUE></IPARAMVALUE>

</IMETHODCALL></SIMPLEREQ>

</MESSAGE></CIM>

From server: WWW-Authenticate: Basic realm="cimom"

From server: Server: sfcHttpd

From server: Content-Length: 0

*

* wbemcli: Http Exception: Invalid username/password.

*

~#

With access.conf modified

~# wbemcli -dx ec -noverify https://<user>:<password@<ESXi IP>/root/cimv2

<ESXi IP>:5989/root/cimv2:CIM_RoleBasedAuthorizationService

<ESXi IP>:5989/root/cimv2:OMC_ProcessorRealizes

<ESXi IP>:5989/root/cimv2:VMware_Battery

....

~#

Any clues ? Thanks much for the help!

Saw the similar issue discussed in forum https://communities.vmware.com/message/1646911#1646911

nothing as such. but wanted to know why access.conf was not modified though the role was added for CIM Interaction. any ways thanks for all the help. I am closing this thread.

I will check this out and get back to you once i have an answer

For now please use the admin privileges and go ahead with the integration

We can create a local user in ESXi and assign it only for accessing sfcb (CIM).

1. Create a local user in ESXi (Using esxcli system account add)
2. Add permission only for sfcbd by editing /etc/security/access.conf
   1. +:cimuser:sfcb

  3.   Now a remote client can access VMware CIM classes using this local user account. However ssh and other root  permissions will not be available for this user.

I hope this is what we were looking for ? . However note that /etc/security/access.conf is recreated on every boot and hence whatever modifications done to this file manually may not be persistent (need to check though).

Thanks,

Krishnaprasad