VMware vCenter Privileges for HPE CloudPhysics Virtual Appliance
Roles and Privileges
Please note that the following are essential for establishing Privileges in VMware vCenter:- All privileges must be applied all at the GLOBAL level, not at the Host/Cluster Level.
“Global permissions are applied to a global root object that spans solutions. In an on-premises SDDC, global permissions might span both vCenter Server and vRealize Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges that the user or group has for all objects in the hierarchy. You can assign a predefined role or create custom roles. “ - https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-C7702E31-1623-4189-89CB-E1136AA27972.html
- After revising any of the vCenter Privileges, please restart the HPE CloudPhysics virtual appliances to ensure they reconnect with the new credentials and privileges.
- All the permissions are related and if one is incorrect, we cannot correlate one object to another. (example: relationship of VM to Datastore to Host)
Credentials for vCenter
Global PrivilegesvSphere 4-6.x
• Global Service Managers vSphere 7.x/8.x
• Global Service Managers Host CIM Privileges
vSphere 4-6.x
• Host CIM Interaction (Host.Cim.CimInteraction) vSphere 7.x/8.x
• Host CIM.CIM Interaction Host Configuration Privileges
vSphere 4-6.x
• Host Advanced Configuration (Host.Config.AdvancedConfig)
• Host Configuration Patch (Host.Config.Patch) vSphere 7.x/8.x
• Host.Configuration.Advanced Settings
• Host.Configuration.Query patch
• Host.Configuration.Storage partition configuration Datastore Privileges
vSphere 4-6.x
• Datastore Browse (Datastore.Browse)
• Host Configuration Storage (Host.Config.Storage) vSphere 7.x/8.x
• Datastore Browse (Datastore.Browse) The following are default permissions applied to all roles/privileges created by vCenters by default.
System.Read
System.Anonymous
System.View
“By default, the local administrators group on the vCenter Server is the only group that has access to the vCenter Server. If you try to log in as a user that is not a member of the administrators group (either directly or indirectly through another group), the log in fails because the user account has no permission to any object in the inventory.” VMware KB: https://kb.vmware.com/s/article/1003872 Resolution as detailed in KB above:
- To resolve this, Select the vCenter Top Level object in the left-hand object panel.
- Click on Permissions
- Click +
- Add Permission for User vsphere.local
- Search for your user
- Choose Administrator for Role
- Check Propagate to Children
- Click OK.
HPE Technical Support: cloudphysicssupport@hpe.com
Use this email address for technical issues with HPE CloudPhysics Observer, Account issues, and technical issues with the portal.
Use this email address for technical issues with HPE CloudPhysics Observer, Account issues, and technical issues with the portal.