VMware vCenter Privileges for HPE CloudPhysics Virtual Appliance

Roles and Privileges

Please note that the following are essential for establishing Privileges in VMware vCenter:
  • All privileges must be applied all at the GLOBAL level, not at the Host/Cluster Level.
    “Global permissions are applied to a global root object that spans solutions. In an on-premises SDDC, global permissions might span both vCenter Server and vRealize Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. “ - https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-C7702E31-1623-4189-89CB-E1136AA27972.html
  • After revising any of the vCenter Privileges, please restart the HPE CloudPhysics virtual appliances to ensure they reconnect with the new credentials and privileges.
  • All the permissions are related and if one is incorrect, we cannot correlate one object to another. (example: relationship of VM to Datastore to Host)

Credentials for vCenter

Global Privileges
vSphere 4-6.x
• Global Service Managers


vSphere 7.x/8.x
• Global Service Managers

Host CIM Privileges
vSphere 4-6.x
• Host CIM Interaction (Host.Cim.CimInteraction)


vSphere 7.x/8.x
• Host CIM.CIM Interaction

Host Configuration Privileges
vSphere 4-6.x
• Host Advanced Configuration (Host.Config.AdvancedConfig)
• Host Configuration Patch (Host.Config.Patch)


vSphere 7.x/8.x
• Host.Configuration.Advanced Settings
• Host.Configuration.Query patch
• Host.Configuration.Storage partition configuration

Datastore Privileges
vSphere 4-6.x
• Datastore Browse (Datastore.Browse)
• Host Configuration Storage (Host.Config.Storage)


vSphere 7.x/8.x
• Datastore Browse (Datastore.Browse)

The following are default permissions applied to all roles/privileges created by vCenters by default.
System.Read
System.Anonymous
System.View

 


Please Note: Starting in VMware vCenter 7.0 U3 and in vSphere 8.x and beyond, VMware changed the access to vCenter via API and restricted access for the Active Directory Users. This change restricts access to VMware vCenter to vCenter local users only and privileges are not provided for Active Directory users by default. The result, Domain admin users will not have access to vCenter Configuration details required by HPE CloudPhysics.

“By default, the local administrators group on the vCenter Server is the only group that has access to the vCenter Server. If you try to log in as a user that is not a member of the administrators group (either directly or indirectly through another group), the log in fails because the user account has no permission to any object in the inventory.” VMware KB: https://kb.vmware.com/s/article/1003872

Resolution as detailed in KB above:
  1. To resolve this, Select the vCenter Top Level object in the left-hand object panel.
  2. Click on Permissions
  3. Click +
  4. Add Permission for User vsphere.local
  5. Search for your user
  6. Choose Administrator for Role
  7. Check Propagate to Children
  8. Click OK.

HPE Technical Support: cloudphysicssupport@hpe.com
Use this email address for technical issues with HPE CloudPhysics Observer, Account issues, and technical issues with the portal.