vCenter provides system and sample roles by default. When connecting vRanger to VMware using a custom account, the user and the role must be defined at the vCenter level and then propagated to the children objects.
In order to remove unnecessary administrator permissions that are not required by vRanger, a new role should be created with the following permissions:
There are some scenarios where it may be required to limit the account to one specific VMware datacenter. In these cases, it is required to define the user at the vCenter level without propagating to any child object. Once it has been defined at the vCenter level, it must be defined at the datacenter level and then propagated down to the child objects.
NOTE: In the cases where the vCenter account must be limited even further due to tenancy configurations, it is required to create two roles. The main role with limited permissions as defined previously in this article needs to be defined at the datacenter level propagating these permissions to the child objects. A secondary limited VMware role must be defined for the user at the vCenter level, in order to ensure we have enough permissions to query the objects. The following permissions are required for the user that will be defined at the vCenter level and it should not be propagated to the child objects:
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center