Privileges Required for Inventory Management
Navigating the inventory requires a user account that can connect to the server and obtain a valid session. The user identity associated with the session is called a principal. When a client application attempts to access an object in the inventory, the server checks the permission object or objects and compares the permissions with the principal’s privileges.
For example, creating a virtual machine requires that the principal associated with the session have the following privileges:
The VirtualMachine.Inventory.Create privilege on the folder in which to create the virtual machine.
The Resource.AssignVMToPool privilege on the resource pool from which the virtual machine obtains its allocation of CPU and memory resources.
Reading the perfCounter property of the PerformanceManager managed object requires the System.View privilege on the root folder.
Important Some privileges are specific to objects on vCenter Server or specific to ESX/ESXi. For example, the Alarm.Create privilege associated with AlarmManager is available only through vCenter Server systems.
See Authentication and Authorization for more information on authentication, authorization, roles, and user identity.
A privilege is a system-defined requirement associated with a VMware vSphere managed object. Privileges are static and do not change for a version of a product. Privileges for vSphere components are defined as follows:
For example:
Permissions are the associations of roles with privileges on a specified managed entity. You use permissions to specify which users can access which managed entity.
A child entity inherits the permissions of its parent if the parent’s propagate property is set to true. A permission that is set directly on a child overrides the permission in the parent. To grant permission to all child entities of a Datacenter object, assign permissions to the Datacenter object and set the Permission object’s propagate property to true.
Inventory and Permissions shows that users root and vpxuser both have permissions on the rootFolder of the inventory. The vpxuser is the account created on a host by the vCenter Server system when that host is added to the vCenter Server system. The vCenter Server needs access to the inventory objects of the host systems that it manages, so the vpxuser account is granted privileges to the rootFolder of each host.
Important See Authentication and Authorization for a detailed discussion of privileges, permissions, and user management.
Inventory and Permissions