.png)
vSphere: Minimum User Permissions
Create minimum required roles for provisioning and installing in vSphere
When a user needs permissions less than Admin, a role must be created with those permissions.
In small vSphere environments, with just a few hosts, assigning the role/user at the top level and propagating to child resources could be appropriate as shown on this page in the permissions tree below.
However, in the majority of cases this is not possible as security teams will enforce strict restrictions of who should have access to specific resources.
The process for configuring a vSphere role with the permissions for provisioning nodes and installing includes the following steps:
Open a vSphere Client connection to the vCenter Server, described in the Prerequisites.
Select Home > Administration > Roles > Add Role.
Give the new role a name, then select these Privileges:
Cns | ||
Searchable | ||
Datastore | ||
Allocate space | ||
Low level file operations | ||
Host | ||
| ||
Storage partition configuration | ||
Profile-driven storage | ||
Profile-driven storage view | ||
Network | ||
Assign network | ||
Resource | ||
Assign virtual machine to resource pool | ||
Virtual machine | ||
| ||
Add new disk | ||
Add existing disk | ||
Add or remove device | ||
Advanced configuration | ||
Change CPU count | ||
Change Memory | ||
Change Settings | ||
Reload from path | ||
Edit inventory | ||
Create from existing | ||
Remove | ||
Interaction | ||
Power off | ||
Power on | ||
Provisioning | ||
Clone template | ||
Deploy template | ||
Session | ||
ValidateSession | ||
In the table below we describe the level at which these permissions should get assigned to.
Level | Required | Propagate to Child |
vCenter Server (Top Level) | No | No |
Data Center | Yes | No |
Resource Pool | Yes | No |
Folder | Yes | Yes |
Template | Yes | No |