Problem
To improve security and stability of an environment, an account with minimal privileges should be used to integrate CloudBolt with other systems.
VMware vCenter Endpoint Credentials
Applies to Provisioning, Snapshots, VM Tagging and connections using VMware Tools
It is useful to create a separate service account to make it easier to attribute vCenter activity to these integration points.
Note: Using an vCenter Admin account for the CloudBolt integration is also acceptable from a functionality stand-point.
Privileges Required
The privileges required for each integration are as follows, to use these with a service account it is necessary to create a custom role.
If the intention is to restrict access to a specific subset of virtual machines managed in vCenter, take note of the Applies to column in the below table as this indicates where the privileges need to take effect in the vCenter hierarchy
| CloudBolt Integration | Privilege | PrivilegeId | Applies to |
|---|---|---|---|
| Common | Default | System.Anonymous System.Read System.View | |
Provisioning | Host > Inventory > Modify Cluster Datastore > Allocate Space Datastore > Browse Datastore Network > Assign Network (if the target virtual machine has network adapters) Resource > Assign Virtual Machine To Resource Pool Virtual Machine > Inventory Virtual Machine > Configuration Virtual Machine > Interaction > Power On (if the target virtual machine is to be powered on after conversion) Virtual Machine > Provisioning > Allow Disk Access Virtual Machine > Provisioning > Allow Read-Only Disk Access Host > Local operations > Create virtual machine Host > Local operations > Delete virtual machine Host > Local operations > Reconfigure virtual machine | Host.Inventory.EditCluster | Cluster |
| Snapshots | Virtual machine > Snapshot management > Create snapshot | VirtualMachine.State.CreateSnapshot | Virtual Machines |
| Virtual machine > Snapshot management > Remove snapshot | VirtualMachine.State.RemoveSnapshot | Virtual Machines | |
| Virtual machine > Snapshot management > Rename snapshot | VirtualMachine.State.RenameSnapshot | Virtual Machines | |
| Virtual machine > Snapshot management > Revert to snapshot | VirtualMachine.State.RevertToSnapshot | Virtual Machines | |
| VM Tagging | vSphere Tagging > Assign or Unassign vSphere Tag | InventoryService.Tagging.AttachTag | |
| vSphere Tagging > Create vSphere Tag | InventoryService.Tagging.CreateTag | ||
| vSphere Tagging > Create vSphere Tag Category | InventoryService.Tagging.CreateCategory | ||
| VMware Tools Connection Type | Virtual machine > Guest Operations > Guest Operation Queries | VirtualMachine.GuestOperations.Query | Virtual Machines |
| Virtual machine > Guest Operations > Guest Operation Program Execution | VirtualMachine.GuestOperations.Execute | Virtual Machines | |
| Virtual machine > Guest Operations > Guest Operation Modifications | VirtualMachine.GuestOperations.Modify | Virtual Machines |
0 Comments