I recently installed Management Pack for Storage Devices at a customer site. The customer were required to use a service account which had limited privileges in vCenter. The account had the bare minimum needed for vRops to collect data from vCenter. Using the bare minimums for collecting data wasn’t sufficient for the Management Pack for Storage Devices. Found me self needing to find the least user privilege for Management Pack for Storage Devices. I looked at the documentation, but no answer there, so I then reached out to GSS which I later abandon as we were going no where fast. So I jumped into my favorite log analytics tool, Log Insight and started going through the logs in regards to the error (I will write another blog post about how I did it). After 15 minutes I had covered all the user rights needed and added them to the role of the service account in vCenter and the Management Pack for Storage Devices had started collecting data from the environment.
Least user privilege for Management Pack for Storage Devices
This is the user privileges as I found them to be needed for the Management Pack for Storage Devices. The first three lines where the “ParentGroup” is “System”. Is part of any vCenter role, basically its what gives you read-only rights in vCenter. The next four lines where the “ParentGroup” is “Global” or “Extension”. This is the most basic user rights needed to login to vCenter. Without these you won’t even get the user to login to vCenter. The last four lines which are the once that you need to set explicitly. So that the role to have the right privilege to collect the data around storage which the Management Pack for Storage Devices needs.
Name | ParentGroup | Id |
---|---|---|
Anonymous | System | System.Anonymous |
View | System | System.View |
Read | System | System.Read |
Licenses | Global | Global.Licenses |
Register extension | Extension | Extension.Register |
Update extension | Extension | Extension.Update |
Unregister extension | Extension | Extension.Unregister |
Storage partition configuration | Configuration | Host.Config.Storage |
CIM interaction | CIM | Host.Cim.CimInteraction |
Profile-driven storage view | Profile-driven storage | StorageProfile.View |
View | Storage views | StorageViews.View |
Finally, that’s all. Quite simple right. You should check out the Management Pack for Storage Devices. It can be download it from solutionexchange.vmware.com. Which is a store for downloading extensions for product such as vRops and Log Insight. Here is the direct link to the Management Pack for Storage Devices.
That was all – Please use the bottoms below to share it.