VMware Cloud Community
danbarr
Enthusiast
Enthusiast
Jump to solution

Minimum privileges for vCenter/vCOPS access?

Is there any documentation on the minimum privileges required for Log Insight to access vCenter and vCOPS? The security guide does not detail this.

Thanks.

Reply
0 Kudos
1 Solution

Accepted Solutions
sflanders
Commander
Commander
Jump to solution

vCenter Server = read-only privileges (user must be defined at root vCenter Server object and have the propagate checkbox selected)

vCenter Operations Manager = user privileges.

Security Guide is here, but does not contain this information: Log Insight 1.0 Beta Security Guide

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

Reply
0 Kudos
6 Replies
sflanders
Commander
Commander
Jump to solution

vCenter Server = read-only privileges (user must be defined at root vCenter Server object and have the propagate checkbox selected)

vCenter Operations Manager = user privileges.

Security Guide is here, but does not contain this information: Log Insight 1.0 Beta Security Guide

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
danbarr
Enthusiast
Enthusiast
Jump to solution

Thanks for the quick reply! I did find the security guide just after saving my post, but as you confirmed it doesn't contain this info.

A read-only account worked fine for vCenter, but for vCOps it seems to require the appliance admin account.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

What version and edition of vC Ops? What happen when you tried a user with user privileges? (ps. we will be adding this information to documentation - it is mentioned in the documentation, but needs to be updated)

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
danbarr
Enthusiast
Enthusiast
Jump to solution

This is vCOps Foundation 5.7.1. When I used a vCenter user with the "vCenter Operations Manager User" privilege, Log Insight said "Connection test failed: Invalid username or password". I think since it's registering an extension, it probably does need the vCOps backend admin account, not a frontend user account.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Thanks for the information! I know this was tested and confirmed to work with user privileges in the advanced edition so I will ensure this is looked into.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
PhillyDubs
Enthusiast
Enthusiast
Jump to solution

You are correct(based on my experience) and the following info straight from VMware -

VMware vCenter Operations Manager 5.7.1

User Accounts

  • To register vCenter Operations Manager with a vCenter Server, you must provide the minimum set of user credentials for that vCenter Server. The minimum privileges required to register and unregister vCenter Operations Manager with a vCenter Server are Global: Licenses and Extension: Register extension, unregister extension, update extension.
  • The user account you use for collecting data with vCenter Operations Manager determines the scope and accuracy of the monitoring data.
    • vCenter Operations Manager does not require administrator privileges to collect data from a vCenter Server. However, the scope of data collected depends on the privileges of the user you assign as the Collection user on the vCenter Operations Manager Administration portal. The minimum privileges required to collect data areGlobal: Health and Storage Views: View.

The vCenter Operations User permission is for an actual user to login to vCenter Operations and utilize the information, but not administrator access. Both of these permissions do not even show up until vCenter Operations is installed. Permissions to allow vCenter Operations to connect to vCenter are completely separate, based on my experience with the product.

I have configured a vCenter Operations "collector" user account and given them the permissions listed in the quote above and it works fine.

EDIT: Nevermind, I'm a moron that can't read Smiley Happy

VCP5
Reply
0 Kudos