3 Replies Latest reply on Apr 15, 2011 1:39 PM by mobychien

    Minimum Privileges for Script?

    Sirry Enthusiast

      Hi Will,

       

           I was wondering what the minimum privileges are for executing the vmwarevSphereSecurityHardeningReportCheck script.

        • 1. Re: Minimum Privileges for Script?
          lamw Guru
          Community WarriorsVMware Employees

          Sirry,

           

          I've not looked into what is the minimum privileges, but this will also depend on whether you're trying to validate going through vCenter and/or directly to an ESX(i) host. The latter will definitely require administrator privledges as it tries to download a few files to verify some checks. I believe if you go through vCenter, that readOnly _should_ work, but I've not tested this.

           

          You could give that a shot and let me know if it's sufficent or if you hit paritcular problems

          • 2. Re: Minimum Privileges for Script?
            MKguy Virtuoso

            We use a local Windows account on the vCenter Server for vifastpass operations from the vMA. This user is only member of the local Users group, no Administrators or anything else.

            In the vCenter structure, the permission for this user is set at the vCenter level (the highest one) in the vSphereclient and propagates to the lower levels.

             

            We use a custom vCenter role for this user, which only consists of the following permissions:

            - Datastore -> Browse datastore

            - Global -> Diagnostics, Licenses

            - Sessions -> View and stop sessions

             

            This really is everything this role is permitted to do, and the vSphereSecurityHardening as well as the vSphereHealthCheck execute flawlessly when run after a vipftarget -s My_vCenter_Server.

             

            Note that we also registered each ESXi Server seperately with the vMA besides the vCenter with this local account.

            • 3. Re: Minimum Privileges for Script?
              mobychien Novice

              We tested the script with the following set-up: Create a windows AD group - vcenterAudit ( u could call it whatever u choose) and add a test account to the AD group. Assign the Read-Only role at the Datacenter level to the newly created  AD group. run the script using the test account credential against our vCenter server.  The above setup is the only privilege that we need.