|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc |
| 4 | + |
| 5 | +[id="machineset-vsphere-requirements-user-provisioned-machine-sets_{context}"] |
| 6 | += Minimum required vCenter privileges for machine set management |
| 7 | + |
| 8 | +To manage machine sets in an {product-title} cluster on vCenter, you must use an account with privileges to read, create, and delete the required resources. Using an account that has global administrative privileges is the simplest way to access all of the necessary permissions. |
| 9 | + |
| 10 | +If you cannot use an account with global administrative privileges, you must create roles to grant the minimum required privileges. The following table lists the minimum vCenter roles and privileges that are required to create, scale, and delete machine sets and to delete machines in your {product-title} cluster. |
| 11 | + |
| 12 | +.Minimum vCenter roles and privileges required for machine set management |
| 13 | +[%collapsible] |
| 14 | +==== |
| 15 | +[cols="3a,3a,3a",options="header"] |
| 16 | +|=== |
| 17 | +|vSphere object for role |
| 18 | +|When required |
| 19 | +|Required privileges |
| 20 | +
|
| 21 | +|vSphere vCenter |
| 22 | +|Always |
| 23 | +| |
| 24 | +[%hardbreaks] |
| 25 | +`InventoryService.Tagging.AttachTag` |
| 26 | +`InventoryService.Tagging.CreateCategory` |
| 27 | +`InventoryService.Tagging.CreateTag` |
| 28 | +`InventoryService.Tagging.DeleteCategory` |
| 29 | +`InventoryService.Tagging.DeleteTag` |
| 30 | +`InventoryService.Tagging.EditCategory` |
| 31 | +`InventoryService.Tagging.EditTag` |
| 32 | +`Sessions.ValidateSession` |
| 33 | +`StorageProfile.Update`^1^ |
| 34 | +`StorageProfile.View`^1^ |
| 35 | +
|
| 36 | +|vSphere vCenter Cluster |
| 37 | +|Always |
| 38 | +| |
| 39 | +[%hardbreaks] |
| 40 | +`Resource.AssignVMToPool` |
| 41 | +
|
| 42 | +|vSphere Datastore |
| 43 | +|Always |
| 44 | +| |
| 45 | +[%hardbreaks] |
| 46 | +`Datastore.AllocateSpace` |
| 47 | +`Datastore.Browse` |
| 48 | +
|
| 49 | +|vSphere Port Group |
| 50 | +|Always |
| 51 | +|`Network.Assign` |
| 52 | +
|
| 53 | +|Virtual Machine Folder |
| 54 | +|Always |
| 55 | +| |
| 56 | +[%hardbreaks] |
| 57 | +`VirtualMachine.Config.AddRemoveDevice` |
| 58 | +`VirtualMachine.Config.AdvancedConfig` |
| 59 | +`VirtualMachine.Config.Annotation` |
| 60 | +`VirtualMachine.Config.CPUCount` |
| 61 | +`VirtualMachine.Config.DiskExtend` |
| 62 | +`VirtualMachine.Config.Memory` |
| 63 | +`VirtualMachine.Config.Settings` |
| 64 | +`VirtualMachine.Interact.PowerOff` |
| 65 | +`VirtualMachine.Interact.PowerOn` |
| 66 | +`VirtualMachine.Inventory.CreateFromExisting` |
| 67 | +`VirtualMachine.Inventory.Delete` |
| 68 | +`VirtualMachine.Provisioning.Clone` |
| 69 | +
|
| 70 | +|vSphere vCenter Datacenter |
| 71 | +|If the installation program creates the virtual machine folder |
| 72 | +| |
| 73 | +[%hardbreaks] |
| 74 | +`Resource.AssignVMToPool` |
| 75 | +`VirtualMachine.Provisioning.DeployTemplate` |
| 76 | +
|
| 77 | +3+a| |
| 78 | +^1^ The `StorageProfile.Update` and `StorageProfile.View` permissions are required only for storage backends that use the Container Storage Interface (CSI). |
| 79 | +|=== |
| 80 | +==== |
| 81 | + |
| 82 | +The following table details the permissions and propagation settings that are required for machine set management. |
| 83 | + |
| 84 | +.Required permissions and propagation settings |
| 85 | +[%collapsible] |
| 86 | +==== |
| 87 | +[cols="3a,3a,3a,3a",options="header"] |
| 88 | +|=== |
| 89 | +|vSphere object |
| 90 | +|Folder type |
| 91 | +|Propagate to children |
| 92 | +|Permissions required |
| 93 | +
|
| 94 | +|vSphere vCenter |
| 95 | +|Always |
| 96 | +|Not required |
| 97 | +|Listed required privileges |
| 98 | +
|
| 99 | +.2+|vSphere vCenter Datacenter |
| 100 | +|Existing folder |
| 101 | +|Not required |
| 102 | +|`ReadOnly` permission |
| 103 | +
|
| 104 | +|Installation program creates the folder |
| 105 | +|Required |
| 106 | +|Listed required privileges |
| 107 | +
|
| 108 | +|vSphere vCenter Cluster |
| 109 | +|Always |
| 110 | +|Required |
| 111 | +|Listed required privileges |
| 112 | +
|
| 113 | +|vSphere vCenter Datastore |
| 114 | +|Always |
| 115 | +|Not required |
| 116 | +|Listed required privileges |
| 117 | +
|
| 118 | +|vSphere Switch |
| 119 | +|Always |
| 120 | +|Not required |
| 121 | +|`ReadOnly` permission |
| 122 | +
|
| 123 | +|vSphere Port Group |
| 124 | +|Always |
| 125 | +|Not required |
| 126 | +|Listed required privileges |
| 127 | +
|
| 128 | +|vSphere vCenter Virtual Machine Folder |
| 129 | +|Existing folder |
| 130 | +|Required |
| 131 | +|Listed required privileges |
| 132 | +|=== |
| 133 | +==== |
| 134 | + |
| 135 | +For more information about creating an account with only the required privileges, see link:https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html[vSphere Permissions and User Management Tasks] in the vSphere documentation. |
0 commit comments