As most administrators who have deployed VMware View would know, a service account is used by the View Connection server to connect to the vCenter server to create, manage and delete the virtual desktops. The service account is entered during the process of adding the vCenter that will be managing the virtual desktops:
… and as per the following VMware View 5.1 documentation:
… the required permissions for View Manager (does NOT include View Composer) are as follows:
|Privilege Group||Privileges to Enable|
|Virtual Machine|| |
I don’t actually live an breath in PowerCLI on a daily basis so my first attempt was to simply use the New-VIRole cmdlet:
… and the switches available to create the role in vCenter and assign the permissions which gives me the following cmdlet:
New-VIRole -Name "View Service" -Privilege "Create folder","Delete folder","Add or remove device","Advanced","Modify device settings","Power Off","Power On","Reset","Suspend","Create new","Remove","Customize","Deploy template","Read customization specifications","Assign virtual machine to resource pool","Act as vCenter Server
Although the role gets created and permissions are assigned, I noticed that additional permissions that weren’t needed were added to the role as well. The reason why the additional permissions were assigned was because the Power On and Power Off privilege were generic and included multiple these permissions for Interaction:
… which we needed but also vApp:
… which we didn’t need.
After browsing around the internet without any luck, I began using the FL switch at the end of Get-VIPrivilege to list the details of the privileges:
Get-VIPrivilege -Name “Power On” | FL
Notice how the 2 Power On privileges are listed along with the unique Id of the privilege. With this information, I proceed with repeating Get-VIPrivilege to list all of the privileges I needed for the VMware View service role and writing down the Id of the privilege I needed. Once I’ve gone through the list of privileges required, I was able to assign the permissions with the following 2 cmdlets:
$priv = Get-VIPrivilege -ID Folder.Create,Folder.Delete,VirtualMachine.Config.AddRemoveDevice,VirtualMachine.Config.AdvancedConfig,VirtualMachine.Config.EditDevice,VirtualMachine.Interact.PowerOff,VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.Reset,VirtualMachine.Interact.Suspend,VirtualMachine.Inventory.Create,VirtualMachine.Inventory.Delete,VirtualMachine.Provisioning.Customize,VirtualMachine.Provisioning.DeployTemplate,VirtualMachine.Provisioning.ReadCustSpecs,Resource.AssignVMToPool,Global.VCServer
New-VIRole -Name "VMware View Service" -Privilege $priv
**Note that it is important that you assign the privileges to the variable then use it to create the role and assign the privileges or this will not work.
Once this role has been created:
… the last step was to execute the following to add your domain service account to the role:
$rootFolder = Get-Folder -NoRecursion
$myPermission = New-VIPermission -Entity $rootFolder -Principal “domain\svc_view” -Role “VMware View Service” -Propagate:$true
… which will assign the domain service account to the vCenter object (top most level) indicated as a requirement in the documentation here:
Note that the this post only covers the permissions required for VMware View Manager and not View Composer. I will try to find some time to write another post which includes those permissions when I get the chance.