vCenter Endpoints - Account Setup

Problem

To improve security and stability of an environment, an account with minimal privileges should be used to integrate vRealize Automation with other systems.

VMware vCenter Endpoint Credentials

Applies to DRS, Snapshots, VM Tagging and connections using VMware Tools

Whilst vRealize automation service accounts for VRA and VRO respectively will likely have Administrator rights on the vCenters in the environment it may be desired to reduce the rights (vCenter role) granted to the service account that is used by the SovLabs integrations. It is also useful to create this as a separate service account to make it easier to attribute vCenter activity to these integration points.

From a security point of view, whilst this will reduce privilege for the account used for these operations, it does not reduce privilege for the workflows themselves as they still have access to IaaS administrator rights in vRealize Automation and vRealize Automation will have administrator rights in vCenter.

Privileges Required

The privileges required for each integration are as follows, to use these with a service account it is necessary to create a custom role.

If the intention is to restrict access to a specific subset of virtual machines managed in vCenter, take note of the Applies to column in the below table as this indicates where the privileges need to take effect in the vCenter hierarchy


Sovlabs IntegrationPrivilegePrivilegeIdApplies to
CommonDefaultSystem.Anonymous
System.Read
System.View

DRS

Host > Inventory > Modify ClusterHost.Inventory.EditClusterCluster
Snapshots

Virtual machine > Snapshot management > Create snapshot

VirtualMachine.State.CreateSnapshotVirtual Machines
Virtual machine > Snapshot management > Remove snapshotVirtualMachine.State.RemoveSnapshotVirtual Machines
Virtual machine > Snapshot management > Rename snapshotVirtualMachine.State.RenameSnapshotVirtual Machines
Virtual machine > Snapshot management > Revert to snapshotVirtualMachine.State.RevertToSnapshotVirtual Machines
VM Tagging

vSphere Tagging > Assign or Unassign vSphere Tag

InventoryService.Tagging.AttachTag
vSphere Tagging > Create vSphere TagInventoryService.Tagging.CreateTag
vSphere Tagging > Create vSphere Tag CategoryInventoryService.Tagging.CreateCategory
VMware Tools
Connection Type

Virtual machine > Guest Operations > Guest Operation QueriesVirtualMachine.GuestOperations.QueryVirtual Machines
Virtual machine > Guest Operations > Guest Operation Program ExecutionVirtualMachine.GuestOperations.ExecuteVirtual Machines
Virtual machine > Guest Operations > Guest Operation ModificationsVirtualMachine.GuestOperations.ModifyVirtual Machines


When your role has been created it will be shown as follows. A service account created specifically for SovLabs modules in AD can then be assigned to the role. Once this is complete then the Manage Credential Configuration Catalog Item can be used to update the vCenter Endpoint credentials associated with the SovLabs module.





Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.