To improve security and stability of an environment, an account with minimal privileges should be used to integrate vRealize Automation with other systems.
VMware vCenter Endpoint Credentials
Applies to DRS, Snapshots, VM Tagging and connections using VMware Tools
Whilst vRealize automation service accounts for VRA and VRO respectively will likely have Administrator rights on the vCenters in the environment it may be desired to reduce the rights (vCenter role) granted to the service account that is used by the SovLabs integrations. It is also useful to create this as a separate service account to make it easier to attribute vCenter activity to these integration points.
From a security point of view, whilst this will reduce privilege for the account used for these operations, it does not reduce privilege for the workflows themselves as they still have access to IaaS administrator rights in vRealize Automation and vRealize Automation will have administrator rights in vCenter.
The privileges required for each integration are as follows, to use these with a service account it is necessary to create a custom role.
If the intention is to restrict access to a specific subset of virtual machines managed in vCenter, take note of the Applies to column in the below table as this indicates where the privileges need to take effect in the vCenter hierarchy
|Sovlabs Integration||Privilege||PrivilegeId||Applies to|
|Host > Inventory > Modify Cluster||Host.Inventory.EditCluster||Cluster|
Virtual machine > Snapshot management > Create snapshot
|Virtual machine > Snapshot management > Remove snapshot||VirtualMachine.State.RemoveSnapshot||Virtual Machines|
|Virtual machine > Snapshot management > Rename snapshot||VirtualMachine.State.RenameSnapshot||Virtual Machines|
|Virtual machine > Snapshot management > Revert to snapshot||VirtualMachine.State.RevertToSnapshot||Virtual Machines|
vSphere Tagging > Assign or Unassign vSphere Tag
|vSphere Tagging > Create vSphere Tag||InventoryService.Tagging.CreateTag|
|vSphere Tagging > Create vSphere Tag Category||InventoryService.Tagging.CreateCategory|
|Virtual machine > Guest Operations > Guest Operation Queries||VirtualMachine.GuestOperations.Query||Virtual Machines|
|Virtual machine > Guest Operations > Guest Operation Program Execution||VirtualMachine.GuestOperations.Execute||Virtual Machines|
|Virtual machine > Guest Operations > Guest Operation Modifications||VirtualMachine.GuestOperations.Modify||Virtual Machines|
When your role has been created it will be shown as follows. A service account created specifically for SovLabs modules in AD can then be assigned to the role. Once this is complete then the Manage Credential Configuration Catalog Item can be used to update the vCenter Endpoint credentials associated with the SovLabs module.