Defined Privileges - ESXi 5 - VMware · Virtual Machine Guest Operations 27 Virtual Machine...

Defined PrivilegesUpdate 1

ESXi 5.0vCenter Server 5.0

This document supports the version of each product listed andsupports all subsequent versions until the document is replacedby a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.

EN-000845-00

http://www.vmware.com/support/pubs

Defined Privileges

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2009–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

http://www.vmware.com/support/

mailto:[email protected]

http://www.vmware.com/go/patents

Contents

1 Defined Privileges 5

Alarms 6Datacenter 7Datastore 7Datastore Cluster 8Distributed Virtual Port Group 9ESX Agent Manager 9Extension 10Folder 10Global 11Host CIM 12Host Configuration 12Host Inventory 14Host Local Operations 15Host vSphere Replication 16Host Profile 16Network 17Performance 17Permissions 18Profile-driven Storage 18Resource 18Scheduled Task 20Sessions 20Storage Views 21Tasks 21vApp 21Virtual Machine Configuration 23Virtual Machine Guest Operations 27Virtual Machine Interaction 27Virtual Machine Inventory 30Virtual Machine Provisioning 31Virtual Machine State 34Virtual Machine vSphere Replication 35vServices 35vSphere Distributed Switch 36VRM Policy 37

Index 39

VMware, Inc. 3

Defined Privileges

4 VMware, Inc.

Defined Privileges 1The following tables list the default privileges that, when selected for a role, can be paired with a user andassigned to an object. The tables in this appendix use VC to indicate vCenter Server and HC to indicate hostclient, a standalone ESXi or Workstation host.

When setting permissions, verify all the object types are set with appropriate privileges for each particularaction. Some operations require access permission at the root folder or parent folder in addition to access tothe object being manipulated. Some operations require access or performance permission at a parent folderand a related object.

vCenter Server extensions might define additional privileges not listed here. Refer to the documentation forthe extension for more information on those privileges.

This chapter includes the following topics:

n “Alarms,” on page 6

n “Datacenter,” on page 7

n “Datastore,” on page 7

n “Datastore Cluster,” on page 8

n “Distributed Virtual Port Group,” on page 9

n “ESX Agent Manager,” on page 9

n “Extension,” on page 10

n “Folder,” on page 10

n “Global,” on page 11

n “Host CIM,” on page 12

n “Host Configuration,” on page 12

n “Host Inventory,” on page 14

n “Host Local Operations,” on page 15

n “Host vSphere Replication,” on page 16

n “Host Profile,” on page 16

n “Network,” on page 17

n “Performance,” on page 17

n “Permissions,” on page 18

n “Profile-driven Storage,” on page 18

VMware, Inc. 5

n “Resource,” on page 18

n “Scheduled Task,” on page 20

n “Sessions,” on page 20

n “Storage Views,” on page 21

n “Tasks,” on page 21

n “vApp,” on page 21

n “Virtual Machine Configuration,” on page 23

n “Virtual Machine Guest Operations,” on page 27

n “Virtual Machine Interaction,” on page 27

n “Virtual Machine Inventory,” on page 30

n “Virtual Machine Provisioning,” on page 31

n “Virtual Machine State,” on page 34

n “Virtual Machine vSphere Replication,” on page 35

n “vServices,” on page 35

n “vSphere Distributed Switch,” on page 36

n “VRM Policy,” on page 37

AlarmsAlarms privileges control the ability to set and respond to alarms on inventory objects.

The table describes privileges needed to create, modify, and respond to alarms.

Table 1-1. Alarms Privileges

Privilege Name Description Used Pair with ObjectEffective onObject

Alarms.Acknowledge alarm Suppresses all alarm actions fromoccurring on all triggered alarms.User interface element – TriggeredAlarms panel

VC only All inventoryobjects

Object on whichan alarm isdefined

Alarms.Create alarm Creates a new alarm.When creating alarms with a customaction, privilege to perform the action isverified when the user creates the alarm.User interface element– Alarms tabcontext menu, File > New > Alarm



Alarms.Disable alarm action Stops the alarm action from occurringafter an alarm has been triggered. Thisdoes not disable the alarm fromtriggering.User interface element – Inventory >object_name > Alarm > Disable AllAlarm Actions



Alarms.Modify alarm Changes the properties of an existingalarm.User interface element – Alarms tabcontext menu



Defined Privileges

6 VMware, Inc.

Table 1-1. Alarms Privileges (Continued)

Privilege Name Description Used Pair with ObjectEffective onObject

Alarms.Remove alarm Deletes an existing alarm.User interface element – Alarms tabcontext menu



Alarms.Set alarm status Changes the status of the configuredevent alarm. The status can change toNormal, Warning, or Alert.User interface element – AlarmSettingsdialog box, Triggers tab



DatacenterDatacenter privileges control the ability to create and edit datacenters in the vSphere Client inventory.

The table describes the privileges required to create and edit datacenters.

Table 1-2. Datacenter Privileges

Privilege Name Description AffectsPair withObject Effective on Object

Datacenter.Createdatacenter

Creates a new datacenter.User interface element– Inventory contextmenu, toolbar button, and File > NewDatacenter

VC only Datacenterfolders or rootobject

Datacenter folder or rootobject

Datacenter.IP poolconfiguration

Allows configuration of a pool of IP addresses. VC only Datacenters,Datacenterfolders, orroot object

Datacenter

Datacenter.Movedatacenter

Moves a datacenter.Privilege must be present at both the sourceand destination.User interface element – Inventory drag-and-drop

VC only Datacenters,Datacenterfolders, orroot object

Datacenter, source anddestination

Datacenter.Remove datacenter

Removes a datacenter.In order to have permission to perform thisoperation, you must have this privilegeassigned to both the object and its parent object.User interface element– Inventory contextmenu, Inventory > Datacenter > Remove,Edit > Remove


Datacenter plus parentobject

Datacenter.Rename datacenter

Changes the name of a datacenter.User interface element – Inventory object,Inventory context menu, Edit > Rename,Inventory > Datacenter > Rename


Datacenter

DatastoreDatastore privileges control the ability to browse, manage, and allocate space on datastores.

The table describes the privileges required to work with datastores.

Chapter 1 Defined Privileges

VMware, Inc. 7

Table 1-3. Datastore Privileges

Privilege Name Description Affects Pair with ObjectEffective onObject

Datastore.Allocatespace

Allocates space on a datastore for a virtualmachine, snapshot, clone, or virtual disk.

HC and VC Datastores,Datastore folders

Datastores

Datastore.Browsedatastore

Browses files on a datastore.User interface element – Add existing disk,browse for CD-ROM or Floppy media, serial orparallel port files


Datastores

Datastore.Configuredatastore

Configures a datastore. HC and VC Datastores,Datastore folders

Datastores

Datastore.Low levelfile operations

Carries out read, write, delete, and renameoperations in the datastore browser.


Datastores

Datastore.Movedatastore

Moves a datastore between folders.Privileges must be present at both the sourceand destination.User interface element – Inventory drag-and-drop

VC only Datastores,Datastore folders

Datastore, sourceand destination

Datastore.Removedatastore

Removes a datastore.This privilege is deprecated.In order to have permission to perform thisoperation, you must have this privilegeassigned to both the object and its parent object.User interface element– Inventory datastorecontext menu, Inventory > Datastore > Remove


Datastores

Datastore.Remove file Deletes a file in the datastore.This privilege is deprecated. Assign the Lowlevel file operationsUser interface element – Datastore Browsertoolbar button and Datastore context menu


Datastores

Datastore.Renamedatastore

Renames a datastore.User interface element– Datastore Propertiesdialog Change button, host Summary tabcontext menu


Datastores

Datastore.Updatevirtual machine files

Updates file paths to virtual machine files on adatastore after the datastore has beenresignatured.


Datastores

Datastore ClusterDatastore cluster privileges control the configuration of datastore clusters for Storage DRS.

The table describes privileges used for configuring datastore clusters.

Table 1-4. Datastore Cluster Privileges

Privilege Name Description AffectsPair withObject

Effective onObject

Datastorecluster.Configure adatatstore cluster

Allow creation of and configuration of settings fordatastore clusters for Storage DRS.

HC and VC Datacenters,Datastorefolders,Datastoreclusters

Datastore Clusters

Defined Privileges

8 VMware, Inc.

Distributed Virtual Port GroupDistributed virtual port group privileges control the ability to create, delete, and modify distributed virtualport groups.

The table describes the privileges required to create and configure distributed virtual port groups.

Table 1-5. Distributed Virtual Port Group Privileges


dvPort group.Create Create a distributed virtual port group. HC and VC Datacenter,Network folder

vSphereDistributedSwitches

dvPortgroup.Delete

Delete a distributed virtual port group.In order to have permission to perform thisoperation, you must have this privilege assignedto both the object and its parent object.

HC and VC vSphereDistributedSwitches,Network folders,Datacenters


dvPortgroup.Modify

Modify the configuration of a distributed virtualport group.



dvPort group.Policyoperation

Set the policy of a distributed virtual port group. HC and VC vSphereDistributedSwitches,Network folders,Datacenters


dvPort group.Scopeoperation

Set the scope of a distributed virtual port group. HC and VC vSphereDistributedSwitches,Network folders,Datacenters


ESX Agent ManagerESX Agent Manager privileges control operations related to ESX Agent Manager and agent virtual machines.

The table describes privileges related to ESX Agent Manager and agent virtual machines


VMware, Inc. 9

Table 1-6. ESX Agent Manager


Effective onObject

ESX AgentManager.Config

Allows ESX Agent Manager to deploy an agentvirtual machine on a host or cluster.No vSphere Client user interface elements areassociated with this privilege.

VC only

ESX AgentManager.Modify

Allows modifications to an agent virtual machinesuch as powering off or deleting the virtualmachine.

VC only Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

ESX AgentView.View

Allows viewing of an agent virtual machine. VC only Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

ExtensionExtension privileges control the ability to install and manage extensions.

The table describes privileges required to install and manage plug-ins.

Table 1-7. Extension Privileges


Effective onObject

Extension.Registerextension

Registers an extension (plug-in) VC only Root vCenterServer

Root vCenterServer

Extension.Unregister extension

Unregisters an extension (plug-in) VC only Root vCenterServer

Root vCenterServer

Extension.Updateextension

Updates an extension (plug-in) VC only Root vCenterServer

Root vCenterServer

FolderFolder privileges control the abililty to create and manage folders.

The table describes privileges required to create and manage folders.

Table 1-8. Folder Privileges


Folder.Create folder Creates a new folder.User interface element– Taskbar button, Filemenu, context menu

VC only Folders Folders

Folder.Delete folder Deletes a folder.In order to have permission to perform thisoperation, you must have this privilege assignedto both the object and its parent object.User interface element– File menu, context menu

VC only Folders plusparent object

Folders

Defined Privileges

10 VMware, Inc.

Table 1-8. Folder Privileges (Continued)


Folder.Move folder Moves a folder.Privilege must be present at both the source anddestination.User interface element – Inventory drag-and-drop

VC only Folders, sourceand destination

Folders

Folder.Renamefolder

Changes the name of a folder.User interface element – Inventory pane object textfield, context menu, File menu

VC only Folders Folders

GlobalGlobal privileges control global tasks related to tasks, scripts, and extensions.

The table describes privileges required for global tasks in the vSphere Client.

Table 1-9. Global Privileges


Effective onObject

Global.Act asvCenter Server

Prepare or initiate a vMotion send operation or avMotion receive operation.No user vSphere Client interface elements areassociated with this privilege.

VC only Any object Root vCenterServer

Global.Cancel task Cancel a running or queued task.User interface element – Recent tasks pane contextmenu, Tasks & Events context menu. Cancurrently cancel clone and clone to template.

HC and VC Any object Inventory objectrelated to the task

Global.Capacityplanning

Enable the use of capacity planning for planningconsolidation of physical machines to virtualmachines.User interface element - Consolidation button intoolbar.

VC only Root vCenterServer

Root vCenterServer

Global.Diagnostics Get list of diagnostic files, log header, binary files,or diagnostic bundle.User interface element – File > Export > ExportDiagnostic Data, Admin System Logs tab


Global.Disablemethods

Allows servers for vCenter Server extensions todisable certain operations on objects managed byvCenter Server.No user vSphere Client interface elements areassociated with this privilege.


Global.Enablemethods

Allows servers for vCenter Server extensions toenable certain operations on objects managed byvCenter Server.No user vSphere Client interface elements areassociated with this privilege.


Global.Global tag Add or remove global tags. HC and VC Any object Root host orvCenter Server

Global.Health View the health of vCenter Server components.User interface element – vCenter Service Status onthe Home page.


Root vCenterServer


VMware, Inc. 11

Table 1-9. Global Privileges (Continued)


Effective onObject

Global.Licenses See what licenses are installed and add or removelicenses.User interface element – Licenses tab,Configuration > Licensed Features

HC and VC Any object Root host orvCenter Server

Global.Log event Log a user-defined event against a particularmanaged entity.User interface element – Should ask for a reasonwhen shutting down or rebooting a host.

HC and VC Any object Any object

Global.Managecustom attributes

Add, remove, or rename custom field definitions.User interface element – Administration > CustomAttributes


Global.Proxy Allows access to an internal interface for adding orremoving endpoints to or from the proxy.No user vSphere Client interface elements areassociated with this privilege.


Global.Script action Schedule a scripted action in conjunction with analarm.User interface element – Alarm Settings dialog box

VC only Any object Any object

Global.Servicemanagers

Allows use of the resxtop command in the vSphereCLI.No user vSphere Client interface elements areassociated with this privilege.

HC and VC Root host orvCenter Server

Root host orvCenter Server

Global.Set customattribute

View, create, or remove custom attributes for amanaged object.User interface element – Any list view shows thefields defined and allows setting them


Global.Settings Read and modifie runtime VC configurationsettings.User interface element – Administration > vCenterServer Management Server Configuration


Global.System tag Add or remove system tag. VC only Root vCenterServer

Root vCenterServer

Host CIMHost CIM privileges control the use of CIM for host health monitoring.

The table describes privileges used for CIM host health monitoring.

Table 1-10. Host CIM Privileges


Effective onObject

Host.CIM.CIMInteraction

Allow a client to obtain a ticket to use for CIMservices.

HC and VC Hosts Hosts

Host ConfigurationHost configuration privileges control the ability to configure hosts.

The table describes the privileges required to configure host settings.

Defined Privileges

12 VMware, Inc.

Table 1-11. Host Configuration Privileges


Effective onObject

Host.Configuration.Advanced Settings

Set advanced options in host configuration.User interface element – HostConfiguration tab > Advanced Settings,Inventory hierarchy context menu


Host.Configuration.Authentication Store

Configure Active Directory authenticationstores.User interface element – HostConfiguration tab > Authentication Services


Host.Configuration.Change date and timesettings

Sets time and date settings on the host.User interface element – HostConfiguration tab > Time Configuration


Host.Configuration.Change PciPassthru settings

Change PciPassthru settings for a host.User interface element – HostConfiguration tab > Advanced Settings,Inventory hierarchy context menu


Host.Configuration.Change settings

Allows setting of lockdown mode on ESXihosts only.User interface element – HostConfiguration tab > Security Profile >Lockdown Mode > Edit

HC and VC Hosts Hosts (ESXi only)

Host.Configuration.Change SNMP settings

Configure, restart, and stop SNMP agent.No user vSphere Client interface elements areassociated with this privilege.


Host.Configuration.Connection

Change the connection status of a host(connected or disconnected).User interface element– Right-click Host

VC only Hosts Hosts

Host.Configuration.Firmware

Update the host firmware on ESXi hosts.No user vSphere Client interface elements areassociated with this privilege.

HC and VC Hosts Hosts (ESXi only)

Host.Configuration.Hyperthreading

Enable and disable hyperthreading in a hostCPU scheduler.User interface element – HostConfiguration tab > Processors


Host.Configuration.Maintenance

Put the host in and out of maintenance mode.Shut down and restart a host.User interface element– Host context menu,Inventory > Host > Enter Maintenance Mode


Host.Configuration.Memory configuration

User interface element – HostConfiguration tab > Memory


Host.Configuration.Network configuration

Configure network, firewall, and vMotionnetwork.User interface element – HostConfiguration tab > Networking, NetworkAdapter, DNS and Routing


Host.Configuration.Power

Configure host power management settings.User interface element – HostConfiguration tab > Power Management


Host.Configuration.Query patch

Query for installable patches and installpatches on the host.



VMware, Inc. 13

Table 1-11. Host Configuration Privileges (Continued)


Effective onObject

Host.Configuration.Security profile and firewall

Configure internet services, such as SSH,Telnet, SNMP, and host firewall.User interface element– Host Configurationtab > Security Profile


Host.Configuration.Storage partitionconfiguration

Manages VMFS datastore and diagnosticpartitions. Scan for new storage devices.Manage iSCSI.User interface element– Host Configurationtab > Storage, Storage Adapters, VirtualMachine Swapfile LocationHostConfiguration tab datastore context menu


Host.Configuration.System Management

Allows extensions to manipulate the filesystem on the host.No user vSphere Client interface elements areassociated with this privilege.


Host.Configuration.System resources

Update the configuration of the systemresource hierarchy.User interface element – HostConfiguration tab > System ResourceAllocation


Host.Configuration.Virtual machine autostartconfiguration

Change auto-start and auto-stop order ofvirtual machines on a single host.User interface element– Host Configurationtab > Virtual Machine Startup or Shutdown


Host InventoryHost inventory privileges control adding hosts to the inventory, adding hosts to clusters, and moving hosts inthe inventory.

The table describes the privileges required to add and move hosts and clusters in the inventory.

Table 1-12. Host Inventory Privileges


Host.Inventory.Addhost to cluster

Add a host to an existing cluster.User interface element – Inventory context menu,File > New > Add Host

VC only Datacenters,Clusters, Hostfolders

Clusters

Host.Inventory.Addstandalone host

Add a standalone host.User interface element – Toolbar button, Inventorycontext menu, Inventory > Datacenter > AddHost, File > New > Add Host, Hosts tab contextmenu

VC only Datacenters, Hostfolders

Host folders

Host.Inventory.Create cluster

Create a new cluster.User interface elements – Toolbar button,inventory context menu, Inventory > Datacenter >New Cluster, File > New > Cluster

VC only Datacenters, Hostfolders

Host folders

Host.Inventory.Modify cluster

Change the properties of a cluster.User interface element – Inventory context menu,Inventory > Cluster > Edit Settings, Summary tab


Clusters

Defined Privileges

14 VMware, Inc.

Table 1-12. Host Inventory Privileges (Continued)


Host.Inventory.Move cluster orstandalone host

Move a cluster or standalone host between folders.Privilege must be present at both the source anddestination.User interface element– Inventory hierarchy


Clusters

Host.Inventory.Move host

Move a set of existing hosts into or out of a cluster.Privilege must be present at both the source anddestination.User interface element– Inventory hierarchy drag-and-drop


Clusters

Host.Inventory.Remove cluster

Delete a cluster or standalone host.In order to have permission to perform thisoperation, you must have this privilege assignedto both the object and its parent object.User interface element – Inventory context menu,Edit > Remove, Inventory > Cluster > Remove

VC only Datacenters,Clusters, Hostfolders, Hosts

Clusters, Hosts

Host.Inventory.Remove host

Remove a host.In order to have permission to perform thisoperation, you must have this privilege assignedto both the object and its parent object.User interface element – Inventory drag-and-dropout of cluster, context menu, Inventory > Host >Remove

VC only Datacenters,Clusters, Hostfolders, Hosts

Hosts plus parentobject

Host.Inventory.Rename cluster

Rename a cluster.User interface element– Inventory single click,inventory hierarchy context menu, Inventory >Cluster > Rename


Clusters

Host Local OperationsHost local operations privileges control actions performed when the vSphere Client is connected directly to ahost.

The table describes the privileges required for actions performed when the vSphere Client is connected directlyto a single host.

Table 1-13. Host Local Operations Privileges


Effective onObject

Host.Localoperations.Add hostto vCenter

Install and uninstall vCenter agents, such as vpxaand aam, on a host.No vSphere Client user interface elements areassociated with this privilege.

HC only Root host Root host

Host.Localoperations.Createvirtual machine

Create a new virtual machine from scratch on adisk without registering it on the host.No vSphere Client user interface elements areassociated with this privilege.


Host.Localoperations.Deletevirtual machine

Delete a virtual machine on disk, whetherregistered or not.No vSphere Client user interface elements areassociated with this privilege.



VMware, Inc. 15

Table 1-13. Host Local Operations Privileges (Continued)


Effective onObject

Host.Localoperations.Manageuser groups

Manage local accounts on a host.User interface element – Users & Groups tab (onlypresent if the vSphere Client logs on to the hostdirectly)


Host.Localoperations.Reconfigure virtual machine

Reconfigure a virtual machine. HC only Root host Root host

Host.Localoperations.Relayoutsnapshots

Change the layout of a virtual machine'ssnapshots.


Host vSphere ReplicationHost vSphere replication privileges control the use of replication for a host's virtual machines.

The table describes privileges used for virtual machine replication by VMware vCenter Site RecoveryManager™.

Table 1-14. Host vSphere Replication Privileges


Effective onObject

Host.vSphereReplication.ManagevSphere Replication

Manage replication of virtual machines on thishost.


Host ProfileHost Profile privileges control operations related to creating and modifying host profiles.

The table describes privileges required for creating and modifying host profiles.

Table 1-15. Host Profile Privileges

Privilege Name Description Affects Pair with Object Effective on Object

Host profile.Clear Clear profile related information.Apply a profile to a host.User interface element –Inventory > Host > Host Profile >Apply Profile

HC and VC Root vCenter Server Root vCenter Server

Host profile.Create Create a host profile.User interface element – CreateProfile button on Profiles tab


Host profile.Delete Delete a host profile.User interface element – Deletehost profile button when a profileis selected


Host profile.Edit Edit a host profile.User interface element – EditProfile button when a profile isselected


Defined Privileges

16 VMware, Inc.

Table 1-15. Host Profile Privileges (Continued)


Host profile.Export Export a host profileUser interface element - ExportProfile link on host profileSummary tab.


Host profile.View View a host profile.User interface element – HostProfiles button on vSphere ClientHome page


NetworkNetwork privileges control tasks related to network management.

The table describes privileges required for network management.

Table 1-16. Network Privileges


Network.Assignnetwork

Assign a network to a virtual machine. HC and VC Networks,Network folders

Networks,VirtualMachines

Network.Configure Configure a network. HC and VC Networks,Network folders

Networks,VirtualMachines

Network.Movenetwork

Move a network between folders.Privilege must be present at both the source anddestination.User interface element – Inventory drag-and-drop

HC and VC Networks Networks

Network.Remove Remove a network.This privilege is deprecated.To have permission to perform this operation, youmust have this privilege assigned to both the objectand its parent object.User interface element– Inventory network contextmenu, Edit > Remove, Inventory > Network >Remove

HC and VC Networks,Network folders,and Datacenters

Networks

PerformancePerformance privileges control modifying performance statistics settings.

The table describes privileges required to modify performance statistics settings.

Table 1-17. Performance Privileges


Effective onObject

Performance.Modify intervals

Creates, removes, and updates performance datacollection intervals.User interface element– Administration > vCenterServer Management Server Configuration >Statistics


Root vCenterServer


VMware, Inc. 17

PermissionsPermissions privileges control the assigning of roles and permissions.

The table describes permissions required for assigning roles and permissions.

Table 1-18. Permissions Privileges

Privilege Name Description UsedPair withObject

Effective onObject

Permissions.Modifypermission

Define one or more permission rules on an entity,or updates rules if already present for the givenuser or group on the entity.To have permission to perform this operation, youmust have this privilege assigned to both the objectand its parent object.User interface element – Permissions tab contextmenu, Inventory > Permissions menu

HC and VC All inventoryobjects

Any object plusparent object

Permissions.Modifyrole

Update a role's name and its privileges.User interface element – Roles tab context menu,toolbar button, File menu

HC and VC Root vCenterServer

Any object

Permissions.Reassign role permissions

Reassign all permissions of a role to another role.User interface element – Delete Role dialog box,Reassign affected users radio button andassociated menu

HC and VC Root vCenterServer

Any object

Profile-driven StorageProfile-driven storage privileges control operations related to storage profiles.

The table describes privileges required for viewing and updating storage profiles.

Table 1-19. Profile-driven Storage Privileges


Profile-drivenstorage.Profile-drivenstorage update

Allows changes to be made tostorage profiles, such as creatingand updating storage capabilitiesand virtual machine storageprofiles.

VC only Root vCenter Server Root vCenter Server

Profile-drivenstorage.Profile-drivenstorage view

Allows viewing of defined sstoragecapabilities and storage profiles.

VC only Root vCenter Server Root vCenter Server

ResourceResource privileges control the creation and management of resource pools, as well as the migration of virtualmachines.

The table describes privileges that control resource management and virtual machine migration.

Defined Privileges

18 VMware, Inc.

Table 1-20. Resource Privileges


Resource.Applyrecommendation

Ask the server to go ahead with asuggested vMotion.User interface element – ClusterDRS tab


Clusters

Resource.Assign vApp toresource pool

Assign a vApp to a resource pool.User interface element – New vAppwizard

HC and VC Datacenters,Clusters, Hostfolders, Resourcepools, Hosts

Resource pools

Resource.Assign virtualmachine to resource pool

Assign a virtual machine to aresource pool.User interface element – NewVirtual Machine wizard


Resource pools

Resource.Create resourcepool

Create a new resource pool.User interface element – File menu,context menu, Summary tab,Resources tab


Resource pools,clusters

Resource.Migrate Migrate a virtual machine'sexecution to a specific resource poolor host.User interface element– Inventorycontext menu, Virtual MachineSummary tab, Inventory > VirtualMachine > Migrate, drag-and- drop

VC only Datacenters,Virtual machinefolders, Virtualmachines

Virtual machines

Resource.Modify resourcepool

Change the allocations of a resourcepool.User interface element – Inventory> Resource Pool > Remove,Resources tab

HC and VC Resource poolsplus parent object

Resource pools

Resource.Move resourcepool

Move a resource pool.Privilege must be present at both thesource and destination.User interface element – Drag-and-drop


Resource pools

Resource.Query vMotion Query the general vMotioncompatibility of a virtual machinewith a set of hosts.User interface element – Requiredwhen displaying the migrationwizard for a powered-on VM, tocheck compatibility


Root vCenterServer

Resource.Relocate Cold migrate a virtual machine'sexecution to a specific resource poolor host.User interface element– Inventorycontext menu, Virtual MachineSummary tab, Inventory > VirtualMachine > Migrate, drag-and- drop

VC only Virtual machines Virtual machines


VMware, Inc. 19

Table 1-20. Resource Privileges (Continued)


Resource.Removeresource pool

Delete a resource pool.To have permission to perform thisoperation, you must have thisprivilege assigned to both the objectand its parent object.User interface element – Edit >Remove, Inventory > ResourcePool > Remove, inventory contextmenu, Resources tab


Resource pools

Resource.Renameresource pool

Rename a resource pool.User interface element – Edit >Rename, Inventory > ResourcePool > Rename, context menu

HC and VC Resource pools Resource pools

Scheduled TaskScheduled task privileges control creation, editing, and removal of scheduled tasks.

The table describes privileges required for creating and modifying scheduled tasks.

Table 1-21. Scheduled Task Privileges


Scheduledtask.Create tasks

Schedule a task. Required in addition to theprivileges to perform the scheduled action at thetime of scheduling.User interface element – Scheduled Tasks toolbarbutton and context menu


Scheduledtask.Modify task

Reconfigure the scheduled task properties.User interface element – Inventory > ScheduledTasks > Edit, Scheduled Tasks tab context menu


Scheduledtask.Remove task

Remove a scheduled task from the queue.User interface element – Scheduled Tasks contextmenu, Inventory > Scheduled Task > Remove,Edit > Remove


Scheduled task.Runtask

Run the scheduled task immediately.Creating and running a task also requirespermission to perform the associated action.User interface element – Scheduled Tasks contextmenu, Inventory > Scheduled Task > Run


SessionsSessions privileges control the ability of extensions to open sessions on the vCenter Server.

The table describes the privileges required to open sessions on vCenter Server.

Defined Privileges

20 VMware, Inc.

Table 1-22. Session Privileges


Sessions.Impersonate user

Impersonate another user. This capability is usedby extensions.


Root vCenterServer

Sessions.Message Set the global log in message.User interface element – Sessions tab,Administration > Edit Message of the Day


Root vCenterServer

Sessions.Validatesession

Verifies session validity. VC only Root vCenterServer

Root vCenterServer

Sessions.View andstop sessions

View sessions. Force log out of one or more logged-on users.User interface element– Sessions tab


Root vCenterServer

Storage ViewsStorage Views privileges control the ability to configure and use storage views on vCenter Server.

The table describes privileges required to configure and use storage views.

Table 1-23. Storage Views Privileges


Effective onObject

Storage views.Configureservice

Allows changing options such as thereports update interval and databaseconnectivity information.


Root vCenterServer

Storage views.View View Storage Views tab.User interface element – Storage Viewstab.


Root vCenterServer

TasksTasks privileges control the ability of extensions to create and update tasks on the vCenter Server.

The table describes privileges related to tasks.

Table 1-24. Tasks Privileges


Effective onObject

Tasks.Create task Allows an extension to create a user-defined task. VC only Root vCenterServer

Root vCenterServer

Tasks.Update task Allows an extension to updates a user-definedtask.


Root vCenterServer

vAppvApp privileges control operations related to deploying and configuring a vApp.

The table describes privileges related to vApps.


VMware, Inc. 21

Table 1-25. vApp Privileges


vApp.Add virtualmachine

Add a virtual machine to a vApp.User interface element – drag-and-drop in the Virtual Machines andTemplates or Hosts and Clustersinventory view

VC only Datacenters, Clusters,Hosts, Virtual machinefolders, vApps

vApps

vApp.Assign resourcepool

Assign a resource pool to a vApp.User interface element – drag-and-drop in the Hosts and Clustersinventory view


vApps

vApp.Assign vApp Assign a vApp to another vAppUser interface element – drag-and-drop in the Virtual Machines andTemplates or Hosts and Clustersinventory view


vApps

vApp.Clone Clone a vApp.User interface element –Inventory > vApp > Clone


vApps

vApp.Create Create a vApp. VC only Datacenters, Clusters,Hosts, Virtual machinefolders, vApps

vApps

vApp.Delete Delete a vApp.To have permission to performthis operation, you must have thisprivilege assigned to both theobject and its parent object.User interface element –Inventory > vApp > Delete fromDisk


vApps

vApp.Export Export a vApp from vSphere.User interface element – File >Export > Export OVF Template


vApps

vApp.Import Import a vApp into vSphere.User interface element – File >Deploy OVF Template


vApps

vApp.Move Move a vApp to a new inventorylocation.User interface element – drag-and-drop in the Virtual Machines andTemplates or Hosts and Clustersinventory view


vApps

vApp.Power Off Power off a vApp.User interface element –Inventory > vApp > Power Off


vApps

vApp.Power On Power on a vApp.User interface element –Inventory > vApp > Power On


vApps

vApp.Rename Rename a vApp.User interface element –Inventory > vApp > Rename


vApps

vApp.Suspend Suspend a vApp.User interface element –Inventory > vApp > Suspend


vApps

Defined Privileges

22 VMware, Inc.

Table 1-25. vApp Privileges (Continued)


vApp.Unregister Unregister a vApp.To have permission to performthis operation, you must have thisprivilege assigned to both theobject and its parent object.User interface element –Inventory > vApp > Remove fromInventory


vApps

vApp.vApp applicationconfiguration

Modify a vApp's internalstructure, such as productinformation and properties.User interface element – EditvApp Settings dialog box,Options tab, Advanced option


vApps

vApp.vApp instanceconfiguration

Modify a vApp's instanceconfiguration, such as policies.User interface element – EditvApp Settings dialog box,Options tab, Properties optionand IP Allocation Policy option


vApps

vApp.vApp managedByconfiguration

Allows an extension or solution tomark a vApp as being managed bythat extension or solution.No vSphere Client user interfaceelements are associated with thisprivilege.


vApps

vApp.vApp resourceconfiguration

Modify a vApp's resourceconfiguration.To have permission to performthis operation, you must have thisprivilege assigned to both theobject and its parent object.User interface element – EditvApp Settings dialog box,Options tab, Resources option


vApps

vApp.View OVFEnvironment

View the OVF environment of apowered-on virtual machinewithin a vApp.User interface element – VirtualMachine Properties dialog box,Options tab, OVF Settings option,View button


vApps

Virtual Machine ConfigurationVirtual Machine Configuration privileges control the ability to configure virtual machine options and devices.

The table describes privileges required for configuring virtual machine options and devices.


VMware, Inc. 23

Table 1-26. Virtual Machine Configuration Privileges


Effective onObject

Virtualmachine.Configuration.Add existingdisk

Add an existing virtual disk to a virtual machine.User interface element – Virtual MachineProperties dialog box

HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.Configuration.Add new disk

Create a new virtual disk to add to a virtualmachine.User interface element – Virtual MachineProperties dialog box


Virtual machines

Virtualmachine.Configuration.Add or removedevice

Add or removes any non-disk device.User interface element – Virtual MachineProperties dialog box


Virtual machines

Virtualmachine.Configuration.Advanced

Add or modify advanced parameters in the virtualmachine's configuration file.User interface element – Virtual MachineProperties dialog box > Options tab > Advanced -General option > Configuration Parametersbutton


Virtual machines

Virtualmachine.Configuration.Change CPUcount

Change the number of virtual CPUs.User interface element – Virtual MachineProperties dialog box


Virtual machines

Virtualmachine.Configuration.Changeresource

Change resource configuration of a set of VMnodes in a given resource pool.


Virtual machines

Virtualmachine.Configuration.ConfiguremanagedBy

Allows an extension or solution to mark a virtualmachine as being managed by that extension orsolution.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.Configuration.Disk changetracking

Enable or disable change tracking for the virtualmachine's disks.


Virtual machines

Defined Privileges

24 VMware, Inc.

Table 1-26. Virtual Machine Configuration Privileges (Continued)


Effective onObject

Virtualmachine.Configuration.Disk lease

Leases disks for VMware Consolidated Backup.No user vSphere Client interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.Configuration.Displayconnection settings

Allows configuration of virtual machine remoteconsole options.


Virtual machines

Virtualmachine.Configuration.Extend virtualdisk

Expand the size of a virtual disk. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.Configuration.Host USB device

Attach a host-based USB device to a virtualmachine.


Virtual machines

Virtualmachine.Configuration.Memory

Change the amount of memory allocated to thevirtual machine.User interface element – Virtual MachineProperties dialog box > Memory


Virtual machines

Virtualmachine.Configuration.Modify devicesettings

Change the properties of an existing device.User interface element – Virtual MachineProperties dialog box > SCSI/IDE node selection


Virtual machines

Virtualmachine.Configuration.Query FaultTolerancecompatibility

Check if a virtual machine is compatible for FaultTolerance.


Virtual machines

Virtualmachine.Configuration.Query unownedfiles

Query unowned files. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines


VMware, Inc. 25



Effective onObject

Virtualmachine.Configuration.Raw device

Add or removes a raw disk mapping or SCSI passthrough device.Setting this parameter overrides any otherprivilege for modifying raw devices, includingconnection states.User interface element – Virtual MachineProperties > Add/Remove raw disk mapping


Virtual machines

Virtualmachine.Configuration.Reload frompath

Change a virtual machine configuration path whilepreserving the identity of the virtual machine.Solutions such as VMware vCenter Site RecoveryManager use this operation to maintain virtualmachine identity during failover and failback.No user vSphere Client interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.Configuration.Remove disk

Remove a virtual disk device.User interface element – Virtual MachineProperties dialog box > Hard Disk (but not a rawdisk mapping)


Virtual machines

Virtualmachine.Configuration.Rename

Rename a virtual machine or modifies theassociated notes of a virtual machine.User interface element– Virtual MachineProperties dialog box, inventory, inventorycontext menu, File menu, Inventory menu


Virtual machines

Virtualmachine.Configuration.Reset guestinformation

Edit the guest operating system information for avirtual machineUser interface element – Virtual MachineProperties dialog box Options tab,


Virtual machines

Virtualmachine.Configuration.Set annotation

Allows adding or editing a virtual machineannotation.


Virtual machines

Virtualmachine.Configuration.Settings

Change general VM settings.User interface element – Virtual MachineProperties dialog box Options tab, GeneralOptions option


Virtual machines

Virtualmachine.Configuration.Swapfileplacement

Change the swapfile placement policy for a virtualmachine.User interface element – Virtual MachineProperties dialog box Options tab, SwapfileLocation option


Virtual machines

Defined Privileges

26 VMware, Inc.



Effective onObject

Virtualmachine.Configuration.Unlock

Allow decrypting a virtual machine. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.Configuration.Upgrade virtualhardware

Upgrade the virtual machine’s virtual hardwareversion from a previous version of VMware.User interface element – context menu, File menu(appears only if vmx file shows a lowerconfiguration number)


Virtual machines

Virtual Machine Guest OperationsVirtual Machine Guest operations privileges control the ability to interact with files and programs inside avirtual machine's guest operating system.

The table describes privileges required for virtual machine guest operations accessed through the VMwarevSphere API. See the VMware vSphere API Reference documentation for more information on these operations.

Table 1-27. Virtual Machine Guest Operations


Effective onObject

Virtualmachine.GuestOperations.GuestOperationModifications

Allows virtual machine guest operations thatinvolve modifications to a guest operating systemin a virtual machine, such as transferring a file tothe virtual machine.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.GuestOperations.GuestOperation ProgramExecution

Allows virtual machine guest operations thatinvolve executing a program in the virtualmachine.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.GuestOperations.GuestOperation Queries

Allows virtual machine guest operations thatinvolve querying the guest operating system, suchas listing files in the guest operating system.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtual Machine InteractionVirtual Machine Interaction privileges control the ability to interact with a virtual machine console, configuremedia, perform power operations, and install VMware Tools.

The table describes privileges required for virtual machine interaction.


VMware, Inc. 27

Table 1-28. Virtual Machine Interaction


Effective onObject

Virtualmachine.Interaction.Acquire guestcontrol ticket

Acquire a ticket to connect to a virtual machineguest control service remotely.


Virtual machines

Virtualmachine.Interaction.Answer question

Resolve issues with VM state transitions orruntime errors.User interface element – Summary tab, Inventorymenu, context menu


Virtual machines

Virtualmachine.Interaction.Backup operationon virtual machine

Perform backup operations on virtual machines. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.Interaction.Configure CDmedia

Configure a virtual DVD or CD-ROM device.User interface element – Virtual MachineProperties dialog box > DVD/CD-ROM


Virtual machines

Virtualmachine.Interaction.Configure floppymedia

Configure a virtual floppy device.User interface element – Virtual MachineProperties dialog box, Summary tab Edit Settings


Virtual machines

Virtualmachine.Interaction.Console interaction

Interact with the virtual machine’s virtual mouse,keyboard, and screen.User interface element– Console tab, toolbarbutton, Inventory > Virtual Machine > OpenConsole, inventory context menu


Virtual machines

Virtualmachine.Interaction.Create screenshot

Create a virtual machine screen shot. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.Interaction.Defragment alldisks

Defragment all disks on the virtual machine. HC and VC Datacenters,Hosts, Clusters,Virtual machinefolders,Resource pools,Virtualmachines

Virtual machines

Defined Privileges

28 VMware, Inc.

Table 1-28. Virtual Machine Interaction (Continued)


Effective onObject

Virtualmachine.Interaction.Device connection

Change the connected state of a virtual machine’sdisconnectable virtual devices.User interface element– Virtual MachineProperties dialog box, Summary tab Edit Settings


Virtual machines

Virtualmachine.Interaction.Disable FaultTolerance

Disable the Secondary virtual machine for a virtualmachine using Fault Tolerance.User interface element – Inventory > VirtualMachine > Fault Tolerance > Disable FaultTolerance


Virtual machines

Virtualmachine.Interaction.Enable FaultTolerance

Enable the Secondary virtual machine for a virtualmachine using Fault Tolerance.User interface element – Inventory > VirtualMachine > Fault Tolerance > Enable FaultTolerance


Virtual machines

Virtualmachine.Interaction.Power Off

Power off a powered-on virtual machine, shutsdown guest.User interface element – Inventory > VirtualMachine > Power > Power Off, Summary tab,toolbar button, virtual machine context menu


Virtual machines

Virtualmachine.Interaction.Power On

Power on a powered-off virtual machine, resumesa suspended virtual machine.User interface element– Inventory > VirtualMachine > Power > Power On, Summary tab,toolbar button, virtual machine context menu


Virtual machines

Virtualmachine.Interaction.Record session onVirtual Machine

Record a session on a virtual machine.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.Interaction.Replay session onVirtual Machine

Replay a recorded session on a virtual machine.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.Interaction.Reset

Resets virtual machine and reboots the guestoperating system.User interface element – Inventory > VirtualMachine > Power > Reset, Summary tab, toolbarbutton, virtual machine context menu


Virtual machines


VMware, Inc. 29

Table 1-28. Virtual Machine Interaction (Continued)


Effective onObject

Virtualmachine.Interaction.Suspend

Suspends a powered-on virtual machine, putsguest in standby mode.User interface element – Inventory > VirtualMachine > Power > Suspend, Summary tab,toolbar button, virtual machine context menu


Virtual machines

Virtualmachine.Interaction.Test failover

Test Fault Tolerance failover by making theSecondary virtual machine the Primary virtualmachine.User interface element – Inventory > VirtualMachine > Fault Tolerance > Test Failover


Virtual machines

Virtualmachine.Interaction.Test restartSecondary VM

Terminate a Secondary virtual machine for avirtual machine using Fault Tolerance.User interface element – Inventory > VirtualMachine > Fault Tolerance > Test RestartSecondary


Virtual machines

Virtualmachine.Interaction.Turn Off FaultTolerance

Turn off Fault Tolerance for a virtual machine.User interface element – Inventory > VirtualMachine > Fault Tolerance > Turn Off FaultTolerance


Virtual machines

Virtualmachine.Interaction.Turn On FaultTolerance

Turn on Fault Tolerance for a virtual machine.User interface element – Inventory > VirtualMachine > Fault Tolerance > Turn On FaultTolerance


Virtual machines

Virtualmachine.Interaction.VMware Toolsinstall

Mounts and unmounts the VMware Tools CDinstaller as a CD-ROM for the guest operatingsystem.User interface element– Inventory > VirtualMachine > Guest > Install/Upgrade VMwareTools,virtual machine context menu


Virtual machines

Virtual Machine InventoryVirtual Machine Inventory privileges control adding, moving, and removing virtual machines.

The table describes privileges required to add, move, and remove virtual machines in the inventory.

Defined Privileges

30 VMware, Inc.

Table 1-29. Virtual Machine Inventory Privileges


Effective onObject

Virtualmachine .Inventory.Create from existing

Create a virtual machine based on an existingvirtual machine or template, by cloning ordeploying from a template.

HC and VC Datacenters,Clusters,Hosts, Virtualmachinefolders

Clusters, Hosts,Virtual machinefolders

Virtualmachine.Inventory.Create new

Create a new virtual machine and allocatesresources for its execution.User interface element– File menu, context menu,Summary tab - New Virtual Machine links



Virtualmachine.Inventory.Move

Relocate a virtual machine in the hierarchy.Privilege must be present at both the source anddestination.User interface element – Inventory hierarchy drag-and-drop in Virtual Machines & Templates view

VC only Datacenters,Clusters,Hosts, Virtualmachinefolders, Virtualmachines

Virtual machines

Virtualmachine.Inventory.Register

Add an existing virtual machine to a vCenterServer or host inventory.



Virtualmachine.Inventory.Remove

Delete a virtual machine, removing its underlyingfiles from disk.To have permission to perform this operation, youmust have this privilege assigned to both the objectand its parent object.User interface element – File menu, context menu,Summary tab

HC and VC Datacenters,Clusters,Hosts, Virtualmachinefolders, Virtualmachines

Virtual machines

Virtualmachine.Inventory.Unregister

Unregister a virtual machine from a vCenterServer or host inventory.To have permission to perform this operation, youmust have this privilege assigned to both the objectand its parent object.

HC and VC Datacenters,Clusters,Hosts, Virtualmachinefolders, Virtualmachines

Virtual machines

Virtual Machine ProvisioningVirtual Machine Provisioning privileges control activities related to deploying and customizing virtualmachines.

The table describes privileges required for virtual machine provisioning.


VMware, Inc. 31

Table 1-30. Virtual Machine Provisioning Privileges


Effective onObject

Virtualmachine.Provisioning.Allow disk access

Open a disk on a virtual machine for randomread and write access. Used mostly for remotedisk mounting.No user vSphere Client interface elements areassociated with this privilege.

n/a Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines

Virtualmachines

Virtualmachine.Provisioning.Allow read-onlydisk access

Open a disk on a virtual machine for randomread access. Used mostly for remote diskmounting.No user vSphere Client interface elements areassociated with this privilege.

n/a Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines

Virtualmachines

Virtualmachine.Provisioning.Allow virtualmachine download

Read files associated with a virtual machine,including vmx, disks, logs, and nvram.No user vSphere Client interface elements areassociated with this privilege.

HC and VC Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines


Virtualmachine.Provisioning.Allow virtualmachine files upload

Write files associated with a virtual machine,including vmx, disks, logs, and nvram.No user vSphere Client interface elements areassociated with this privilege.

HC and VC Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines


Virtualmachine.Provisioning.Clone template

Clone a template.User interface element– Inventory > VirtualMachine > Template > Clone, context menu,Virtual Machines tab

VC only Datacenters,Hosts,Clusters,Resourcepools, Virtualmachinefolders,Templates

Templates

Virtualmachine.Provisioning.Clone virtualmachine

Clone an existing virtual machine andallocates resources.User interface element – Inventory > VirtualMachine > Clone, context menu, Summarytab

VC only Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines

Virtualmachines

Defined Privileges

32 VMware, Inc.

Table 1-30. Virtual Machine Provisioning Privileges (Continued)


Effective onObject

Virtualmachine.Provisioning.Create templatefrom virtual machine

Create a new template from a virtual machine.User interface element – Inventory > VirtualMachine > Template > Clone to Template,context menu, Summary tab items


Virtualmachines

Virtualmachine.Provisioning.Customize

Customize a virtual machine’s guestoperating system without moving the virtualmachine.User interface element– Clone VirtualMachine wizard: Guest Customization


Virtualmachines

Virtualmachine.Provisioning.Deploy template

Deploy a virtual machine from a template.User interface element – “Deploy to template”File menu, context menu items, VirtualMachines tab


Templates

Virtualmachine.Provisioning.Mark as template

Mark an existing, powered off virtual machineas a template.User interface element – Inventory > VirtualMachine > Template > Convert to Template,context menu items, Virtual Machines tab,Summary tab


Virtualmachines

Virtualmachine.Provisioning.Mark as virtualmachine

Mark an existing template as a VM.User interface element – “Convert to VirtualMachine...” context menu items, VirtualMachines tab


Templates

Virtualmachine.Provisioning.Modifycustomizationspecification

Create, modify, or delete customizationspecifications.User interface element – CustomizationSpecifications Manager


Root vCenterServer

Virtualmachine.Provisioning.Promote disks

Promote a virtual machine's disks. VC only Datacenters,Hosts,Clusters,Virtualmachinefolders,Resourcepools, Virtualmachines

Virtualmachines


VMware, Inc. 33

Table 1-30. Virtual Machine Provisioning Privileges (Continued)


Effective onObject

Virtualmachine.Provisioning.Use client suppliedcustomizationspecification

Create a temporary customizationspecification during cloning instead of using astored specification.


Root vCenterServer

Virtualmachine.Provisioning.Use storedcustomizationspecifications

Use a stored customization specification. VC only Root vCenterServer

Root vCenterServer

Virtual Machine StateVirtual machine state privileges control the ability to take, delete, rename, and restore snapshots.

The table describes privileges required to work with virtual machine snapshots.

Table 1-31. Virtual Machine State Privileges


Effective onObject

Virtualmachine.State.Create snapshot

Create a new snapshot from the virtual machine’scurrent state.User interface element – virtual machine contextmenu, toolbar button, Inventory > VirtualMachine > Snapshot > Take Snapshot

HC and VC Datacenters,Hosts, Clusters,Virtualmachinefolders,Resource pools,Virtualmachines

Virtual machines

Virtualmachine.State.Remove Snapshot

Remove a snapshot from the snapshot history.User interface element – virtual machine contextmenu, toolbar button, Inventory menu


Virtual machines

Virtualmachine.State.Rename Snapshot

Rename this snapshot with either a new name or anew description or both.No user vSphere Client interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.State.Revert to snapshot

Set the VM to the state it was in at a given snapshot.User interface element – virtual machine contextmenu, toolbar button, Inventory > VirtualMachine > Snapshot > Revert to Snapshot,Virtual Machines tab


Virtual machines

Defined Privileges

34 VMware, Inc.

Virtual Machine vSphere ReplicationVirtual Machine vSphere replication privileges control the use of replication for virtual machines.

The table describes privileges used for virtual machine replication by VMware vCenter Site RecoveryManager™.

Table 1-32. Virtual Machine vSphere Replication


Effective onObject

Virtualmachine.vSphereReplication.Configure vSphereReplication

Allows configuration of replication for the virtualmachine.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.vSphereReplication.ManagevSphere Replication

Allows triggering of full sync, online sync or offlinesync on a replication.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

Virtualmachine.vSphereReplication.Monitor vSphereReplication

Allows monitoring of replication.No vSphere Client user interface elements areassociated with this privilege.


Virtual machines

vServicesvServices privileges control the ability to create, configure, and update vService dependencies for virtualmachines and vApps.

The table describes privileges related to vService dependencies.

Table 1-33. vServices


Effective onObject

vService.Createdependency

Allows creation of a vService dependency for avirtual machine or vApp.

HC and VC Datacenters,Clusters, Hosts,Virtual machinefolders, vApps,virtualmachines

vApps and virtualmachines

vService.Destroydependency

Allows removal of a vService dependency for avirtual machine or vApp.




VMware, Inc. 35

Table 1-33. vServices (Continued)


Effective onObject

vService.Reconfigure dependencyconfiguration

Allows reconfiguring a dependency to update theprovider or binding.



vService.Updatedependency

Allows updating a dependence to configure thename or description.



vSphere Distributed SwitchvSphere Distributed Switch privileges control the ability to perform tasks related to the management of vSphereDistributed Switches.

The table describes the privileges required to create and configure vSphere Distributed Switches.

Table 1-34. vSphere Distributed Switch Privileges


vSphereDistributedSwitch.Create

Create a vSphere Distributed Switch. HC and VC Datacenters,Network folders

Datacenters,Network folders

vSphereDistributedSwitch.Delete

Remove a vSphere Distributed Switch.To have permission to perform this operation, youmust have this privilege assigned to both the objectand its parent object.



vSphereDistributedSwitch.Hostoperation

Change the host members of a vSphere DistributedSwitch.



vSphereDistributedSwitch.Modify

Change the configuration of a vSphere DistributedSwitch.



vSphereDistributedSwitch.Move

Move a vSphere Distributed Switch into anotherfolder.

VC only vSphereDistributedSwitches,Network folders,Datacenters


vSphereDistributedSwitch.Network I/Ocontrol operation

Change the resource settings for a vSphereDistributed Switch.



Defined Privileges

36 VMware, Inc.

Table 1-34. vSphere Distributed Switch Privileges (Continued)


vSphereDistributedSwitch.Policyoperation

Change the policy of a vSphere Distributed Switch. HC and VC vSphereDistributedSwitches,Network folders,Datacenters


vSphereDistributedSwitch .Portconfigurationoperation

Change the configuration of a port in a vSphereDistributed Switch.



vSphereDistributedSwitch.Port settingoperation

Change the setting of a port in a vSphereDistributed Switch.



vSphereDistributedSwitch.VSPANoperation

Change the VSPAN configuration of a vSphereDistributed Switch.



VRM PolicyVRM policy privileges control the ability to query and update virtual rights management policies.

The table describes privileges related to virtual rights management.

Table 1-35. VRM Policy Privileges


Effective onObject

VRMPolicy.QueryVRMPolicy

Query virtual rights management policy. HC and VC Datacenters,Hosts, Clusters,Virtualmachinefolders,Resource pools,Virtualmachines

Virtual machines

VRMPolicy.UpdateVRMPolicy

Update virtual rights management policy. HC and VC Datacenters,Hosts, Clusters,Virtualmachinefolders,Resource pools,Virtualmachines

Virtual machines


VMware, Inc. 37

Defined Privileges

38 VMware, Inc.

Index

Aaccess, privileges 5alarms, privileges 6

Ddatacenters, privileges 7datastore clusters, privileges 8datastores, privileges 7distributed virtual port groups, privileges 9

EESX Agent Manager, privileges 9extensions, privileges 10

Ffolders, privileges 10

Gglobal privileges 11

Hhost profiles, privileges 16, 18hosts

CIM privileges 12configuration privileges 12inventory privileges 14local operations privileges 15vSphere replication privileges 16

Nnetworks, privileges 17

Pperformance, privileges 17permissions, privileges 18plug-ins, privileges 10privileges

alarms 6configuration 12datacenter 7datastore clusters 8datastores 7distributed virtual port groups 9ESX Agent Manager 9extension 10folder 10global 11host CIM 12

host inventory 14host local operations 15host profiles 16, 18host vSphere replication 16network 17performance 17permission 18plug-ins 10resource 18scheduled tasks 20sessions 20storage views 21tasks 21vApps 21virtual machine 30virtual machine configuration 23virtual machine guest operations 27virtual machine interaction 27virtual machine provisioning 31virtual machine state 34virtual machine vSphere replication 35VRM policy 37vServices 35vSphere Distributed Switches 36

Rresources, privileges 18roles, privileges, lists of 5

Sscheduled tasks, privileges 20sessions, privileges 20storage views, privileges 21

Ttasks, privileges 21

VvApps, privileges 21virtual machines

configuration privileges 23guest operations privileges 27interaction privileges 27inventory privileges 30provisioning privileges 31

VMware, Inc. 39

state privileges 34vSphere replication privileges 35

VRM policy, privileges 37vServices, privileges 35vSphere Distributed Switches, privileges 36

Defined Privileges

40 VMware, Inc.

Defined Privileges - ESXi 5 - VMware · Virtual Machine Guest Operations 27 Virtual Machine...

Documents

Transcript of Defined Privileges - ESXi 5 - VMware · Virtual Machine Guest Operations 27 Virtual Machine...