VMware vCenter Cloud - Required permissions

Expedient Operations CTRL is powered, in part, by Morpheus. This document covers permissions required to add your VMware vCenter as a "cloud" in the Morpheus interface.

When integrating VMware vCenter with Morpheus, users must supply credentials for a vCenter service account. This steps below outline the minimum permissions required for the service account and what vCenter objects to apply the permissions to for integration to work.

vCenter Role

Before we can apply permissions, a role must be created within vCenter. This role is only to be used for the service account used by the Morpheus tenant.

1. Create a Role (Menu → Administration → Roles)
2. Click "+".
3. Permissions needed:
   • Datastore
     • Allocate Space
     • Browse Datastore
     • Low Level file Operations
     • Remove File
     • Update virtual machine files
     • Update virtual machine metadata
   • Distributed Switch
     • Port configuration operation
     • Port setting operation
   • Folder
     • All Folder Privileges
   • Global
     • Log Event
     • Manage custom attributes
     • Set custom attribute
   • Network
     • Assign Network
     • Configure
     • Remove
   • Resource
     • Apply recommendation
     • Assign vApp to resource pool
     • Assign virtual machine to resource pool
     • Migrate powered off virtual machine
     • Migrate powered on virtual machine
   • Scheduled task
     • All Scheduled Task Privileges
   • Tasks
     • All Tasks Privileges
   • Virtual Machine
     • Change Configuration (all)
     • Edit Inventory (all)
     • Guest Operations (all)
     • Interaction (all)
     • Provisioning (all)
     • Service Configuration (all)
     • Snapshot management (all)
     • vSphere Replication (all)
   • vApp
     • Clone
     • Export
     • Import
   • vSphere Tagging
     • All vSphere Tagging Privileges
4. Click "Next".
5. Name: "Morpheus Tenant Admin"
6. Description: "Role for Morpheus Tenant Administrator"
7. Click "Finish".

Morpheus Tenant Service Account

Create a Service Account either local to vCenter or in a Domain with access to your vSphere environment. Our typical naming scheme is svc[ClientName]CTRL. Please note that Active Directory account names must be 20 characters or fewer.

vCenter Object Permissions

The Morpheus Tenant Service Account requires the following Permissions on vCenter Objects with the Morpheus Tenant Admin role being applied

• vCenter
  • Non-Propagating
• Datacenter
  • Non-Propagating
• Cluster(POD)
  • Non-Propagating
• Host (Applied on each individual host)
  • Non-Propagating
• Resource Pool
  • Propagating
    *** VM Folder**
  • Propagating
• Datastore Folder
  • Propagating
• Port Groups
  • Propagating