1 person found this helpful
My current understanding is that the Node Deployment wizard validation step requires that Contributor role be used on the service principal.
Meaning that if the service principal info entered into the wizard (info like the application ID and authentication key) do not match a service principal having the Contributor role, the wizard's validation step will not succeed to let you deploy the node.
And that is why the doc topic "Create the Required Service Principal by Creating an Application Registration" in the Getting Started Guide states "...you must ... assign the Contributor role...". ("must" = "the system requires it").
Hope that helps,
my subscriptions should still work as expected
A role is set on a specific *scope*. It is described in the Access Control section of that article you provided the link for:
"Role assignments - associate a definition with an identity (user or group) for a particular scope (subscription, resource group, or resource)."
For the node, Contributor role is set on the scope of the specific *service principal* that you're going to use for that node. I don' t believe it has to be set at a larger scope than the specific service principal.
So I'm not sure why the question is "the subscriptions working as expected". Are you asking whether you must apply the Contributor role scoped at some level other than the specific service principal for use with the node?
Yes, Lee Anne was just wondering if the 2 roles for (subscription, resource group, or resource) & the *service principal* were set differently then would the Node Details in HzC pass.
^ I imagine not as the Service Principal role will supersede all other specifications
Let me run a few tests and come back on this thread
Technically we could support Owner role as well as Contributor role. But as you mention, the Owner role means that with that service principle you have permissions to grant access to anyone you wish. As a result, VMware should not be given credentials with such 'power'. As such, our code explicitly checks (and will only allow) a service principle with the contributor level access.
Owner access is not supported.
hope this helps clarify,
Most Certainly clarifies my confusion, Peter.