VMware recommends that you apply the
principle of least privilege to any agent-like software or automated
application that uses the credential store in a production environment. Give
user accounts the minimal number of privileges on the system that they require
to do their jobs.
Specify roles and users as follows:
Procedure
-
For each SDK-based application, use one
specific role, newly created or predefined, that has appropriate privileges.
For example, if you are developing an
agent-like application to automatically start the VMware Consolidated Backup
utility, you might use the “VMware Consolidated Backup Utility” role (roleID
7).
If no predefined user role that meets the
needs of your application exists, create a role with only those privileges
needed for the application. See
Using Roles to Consolidate Sets of Privileges
for more information about roles.
-
Create a user account for use with the agent
or application.
-
Apply the role created in
Step 1 to the user account created in
Step 2.
-
Store the user account and password in the
credential store, using the
CredentialStoreAdministration tool.
Never grant administrator privileges to a
user account associated with an automated script or software agent, especially
one that uses the credential store.