Minimum vCenter permissions required for vRealize Operations and vRealize LogInsight

Minimum vCenter permissions required for vRealize Operations and vRealize LogInsight

Enterprise customers running complex vSphere environments with multiple users usually intend to restrict access to the environment as much as possible. This is true for interactive users who get specific view and permissions to the objects they need but also for service users leveraged by other components to access vCenter. This article covers vRealize Operations and vRealize LogInsight and shows what minimum permissions are required on vCenter side to make integration work.

vRealize Operations 6.1

vRealize Operations uses 3 types of users to access vCenter environments through the management pack. While in small environments all three parts can use the same administrative account it's also possible to use different permissions for each functionality.

vrops-vcenter-collection-user.png vrops-vcenter-register-user.png vrops-vcenter-python-user.png

vCenter Collector user

This is the most important user that queries information from vCenter and receives metric data. As this user does not need any write access to vCenter, read-only permissions (existing role can be used) usually on datacenter or vCenter server level are sufficient. In case the view from vRealize Operations should be limited to a cluster, hosts or other components the scope of the user in question has to be defined more granularly.

Find some more information about it here: Add a vCenter Adapter Instance

vCenter Registration user

When adding a new vCenter Adapter configuration to vRealize Operations, registration of the vROps server with the vCenter system has to be done once. This user requires some limited write permissions, like shown in the screenshot below.

Find more information here: VMware vCenter Operations Manager 5.8 (this document has been created for an older version but the permission structure in general applies to 6.1 still)


vCenter Python Actions Adapter

vRealize Operations provides the ability to run actions/tasks on objects it manages. For vSphere this typically relates to VM lifecycle operations like shown in the screenshot below:


To access above mentioned actions and execute them on the related vCenter server a python interface is used. Obviously this requires proper permissions to allow running tasks on vCenter objects. As best practice it's recommended to create a role on vCenter which only enables the actions that are desired.

Find more information here: Add a vCenter Python Actions Adapter Instance

E.g. if a customer desires to only allow power on and power off actions a permission structure would look like shown here:


Other examples for custom python permissions:

  • Power Off VM: - Virtual Machine\Interaction\Power Off
  • Power On VM - Virtual Machine\Interaction\Power On
  • Set CPU Count for VM - Virtual Machine\Configuration\Change CPU Count (If you want to power off you will need the power off privilege above. If you want to take a snapshot you will need the create snapshot privilege)
  • Set Memory for VM - Virtual Machine\Configuration\Memory
  • Set CPU Resources for VM - Virtual Machine\Configuration\Change Resource
  • Set CPU Count &Memory for VM - Virtual Machine\Configuration\Change CPU Count, Virtual Machine\Configuration\Memory (If you want to power off you will need the power off privilege above. If you want to take a snapshot you will need the create snapshot privilege)
  • Delete Unused Snapshots for VM - Virtual Machine\Snapshot Management\Remove Snapshot (user must also have read access to the host that the vm is running on)
  • Shutdown Guest OS for VM - Virtual Machine\Interaction\Power Off

vRealize LogInsight 3.0

vRealize LogInsight has a simpler permissions structure compared to Operations. In terms of vCenter connection basically read-only permission are enough. However to inject and configure logging (add a new syslog destination) in related ESXi hosts four additional permissions are required.

Note: Make sure that access permissions are configured on top level folder of vCenter and that "propagate to children" is enabled.



Christian, thanks for these tips! I started a github repo where I created the LogInsight role in PowerCLI. I hope to get the others in there soon! GitHub - rnelson0/vCenter-roles: Set up roles for common applications to access vCenter

Hi Christian

Great post. On vRops 6.2 at least I had to add "Health" under "Global"->"Health" in order to fix this error message

"Notification event - Adapter vcenter: Cannot retrieve Health Information from vCenter's Health Service located at URL: https://vcenter:8443/vws"

Hi Michael,

thanks for your feedback. Will update the article as soon as I am able to verify!

How long did it take until you got this notification event? I got a fresh vROps 6.2a installation and integrated vCenter with the permissions from this blog. After a couple of hours I still haven't seen the notification you are mentioning above.

Don't have a clear answer for you. Seems to depend... Got the information through GSS

Version history
Revision #:
1 of 1
Last update:
‎11-19-2015 05:24 AM
Updated by: