Required VMware vCenter Server Privileges

The Leostream Connection Broker requires specific VMware vCenter Server (VirtualCenter) privileges in order to perform various actions, such as starting and stopping VMs or provisioning virtual machines from templates. In order to ensure that your Connection Broker functions properly, you must provide the Connection Broker with the credentials for a vCenter Server account that is assigned the required privileges. The Connection Broker uses the vCenter Server account you specify when creating the center, as shown in the following figure.

If you create your vCenter Server center using an account that does not have all the correct privileges, you will not be able to perform all Connection Broker actions.

Required vCenter Server Privileges

The following table lists all privileges that the Connection Broker uses. Control Action Power On Power Off Shutdown Suspend Resume Reboot Revert to snapshot Within All Privileges > Virtual Machine > Interaction > Power On > Virtual Machine > Interaction > Power Off > Virtual Machine > Interaction > Power Off > Virtual Machine > Interaction > Suspend > Virtual Machine > Interaction > Power On > Virtual Machine > Interaction > Power On > Virtual Machine > Interaction > Power Off > Virtual Machine > State > Revert To Snapshot > Virtual Machine > Provisioning > Deploy Template > Virtual Machine > Inventory > Create > Resource > Assign Virtual Machine To Resource Pool > Virtual Machine > Provisioning > Read Customization Specifications > Virtual Machine > Provisioning > Customize

Provisioning

The only three default vCenter Server roles that contain all these privileges are: Administrator Virtual Machine Administrator Resource Pool Administrator

Copyright 2002-2011 Leostream Corporation

If you do not want to use one of the default roles, you can create your own role that contains the privileges listed in the previous table. After you create your role, add permission at the Virtual Machines & Templates level that assigns this role to the user associated with your Connection Broker center. Please, refer to Chapter 17: Managing Users, Groups, Permissions, and Roles in the Basic System Administration guide for ESX and vCenter Server for information on creating roles out of privileges, and using permissions to assign these roles to users. The remainder of this document describes these vCenter Server permissions, and the actions related to these privileges.

Creating Resource Centers from vCenter Server

By default, vCenter Server assigns a No Access permission to all users except the default administrator. With this permission, you cannot log into vCenter Server and, therefore, cannot import virtual machines from vCenter Server into the Connection Broker. In order to import virtual machines from vCenter Server into the Connection Broker, your vCenter Server permissions must, at least, assign a Read-Only role for the virtual machines in vCenter Server. This role assigns the following privileges:
System.Anonymous System.Read System.View

The Connection Broker imports every virtual machine for which you have a Read-Only role. For example, if you are assigned the Read-Only role at the vCenter Server Inventorys Virtual Machines & Templates level, the Connection Broker imports all virtual machines. If you are assigned the Read-Only role on a VM-by-VM basis, the Connection Broker imports only the VMs your assigned. If your permission is set to Read-Only, you cannot power control the VMs or perform any provisioning.

Controlling Virtual Machines

In order to start, stop, suspend, resume, or reboot virtual machines, you must be assigned a role with the privileges listed in the following table. If you attempt to perform a control action that you are not privileged to perform, the > System > Logs page contain the listed error message. Control Action Power On Required Privilege > Virtual Machine > Interaction > Power On Error message Start error: PowerOnVM_Task command failed. Power Off failed: Permission to perform this operation was denied. Shutdown failed: Permission to perform this operation was denied. Unable to suspend: Failed to suspend VM. Unable to resume: PowerOnVM_Task command failed. The log contains the message for Power On or Power Off, depending on which privilege is missing.

Power Off

> Virtual Machine > Interaction > Power Off

Shutdown

> Virtual Machine > Interaction > Power Off

Suspend

> Virtual Machine > Interaction > Suspend

Resume

> Virtual Machine > Interaction > Power On > Virtual Machine > Interaction > Power On > Virtual Machine > Interaction > Power Off

Reboot

Copyright 2002-2011 Leostream Corporation

The following default vCenter Server roles contain the privileges required to power control virtual machines. Administrator Virtual Machine Administrator Virtual Machine Power User Virtual Machine User Resource Pool Administrator

If you are creating a new role, ensure that the privileges shown in the following figure are selected.

Reverting to a Virtual Machine Snapshot

If any of your policies select the Revert to snapshot option in the any of the Power control drop-down menus, you must be assigned a role with the following privilege: > Virtual Machine > State > Revert To Snapshot If this privilege is not turned on, the machine will not revert back to its snapshot; and the > System > Logs page displays the following message: Revert failed: Permission to perform this operation was denied The following default vCenter Server roles contain the privilege required to revert virtual machines to a snapshot. Administrator Virtual Machine Administrator Virtual Machine Power User Resource Pool Administrator

Copyright 2002-2011 Leostream Corporation

If you are creating a new role, ensure that the privilege shown in the following figure is selected. The State node is inside the > All Privileges > Virtual Machine tree note.

Provisioning
If any of your pools use vCenter Server templates to provision new virtual machines, you must be assigned a role with the following privileges. > Virtual Machine > Provisioning > Deploy Template > Virtual Machine > Inventory > Create > Resource > Assign Virtual Machine To Resource Pool In addition, if you are using s guest OS customization file, your role must also contain the following permissions. > Virtual Machine > Provisioning > Read Customization Specifications > Virtual Machine > Provisioning > Customize If your role does not contain the > Virtual Machine > Provisioning > Read Customization Specifications privilege, the Connection Broker will not display thee Guest OS Customization Specification File edit field in the Provisioning section of the Edit Pool page. The following default vCenter Server roles contain the privileges required to provision virtual machines. Administrator Virtual Machine Administrator Resource Pool Administrator

Copyright 2002-2011 Leostream Corporation

If you are creating a new role, ensure that the privileges shown in the following figures are selected. The righthand figure begins with a continuation of the Provisioning privileges.

Copyright 2002-2011 Leostream Corporation