Sunday, April 7, 2013

Configuring vCenter role permissions for VMware vSphere 5.1 and VMware Horizon View 5.2 (View Manager and View Composer)

As some administrators may have noticed, VMware has made quite a few changes to vSphere 5.1 and I was a bit thrown off by the change to the layout of permissions while I configured the role for the VMware View service account because it doesn’t look like the VMware Horizon View 5.2 documentation was written for vSphere 5.1.  After browsing around the permissions available in vCenter 5.1 the change I noticed was that there is no longer the section Virtual Machine –> State as stated in the documentation:

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-467F552F-3034-4917-A985-B5E5FEC5C68F.html

clip_image001

These permissions in vCenter 5.1 have since been moved to Virtual Machine –> Snapshot:

image

Here is a screenshot of the old vCenter 5.0 Virtual Machine –> State option:

image

Seeing how I got a bit confused with this, I’m sure my colleagues are going to ask me about this so I thought I’d write this blog post so I can refer them to it.  First off, it’s important to note that there are 2 sets of permissions in the VMware Horizon View 5.2 documentation you need to be aware about that is listed in the following URL:

Configuring User Accounts for vCenter Server and View Composer
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-997107E5-F66D-494C-B2BA-A74977C7804C.html

The first one is:

View Manager Privileges Required for the vCenter Server User
http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-A878F876-B359-42FC-9124-A1E34BFB3319.html

These permissions are only enough for you to configure View Manager to deploy virtual desktops that do not rely on the View Composer.  If you intend on deploying virtual desktops such as linked clones which requires View Composer then you’ll need to configure the additional permissions listed in the second URL:

View Composer Privileges Required for the vCenter Server User

http://pubs.vmware.com/view-52/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-467F552F-3034-4917-A985-B5E5FEC5C68F.html

With this clarified, the following are the permissions required to configure the role in VMware vCenter 5.1 for VMware Horizon View 5.2:

Datastore

  • Allocate space
  • Browse datastore
  • Low level file operations

clip_image001[4]

Folder

  • Create folder
  • Delete folder

clip_image001[6]

Global

  • Disable methods
  • Enable methods
  • System tag

clip_image001[8]

Network

  • Assign network
  • Configure
  • Move network
  • Remove

clip_image001[10]

Resource

  • Assign virtual machine to resource pool
  • Migrate powered off virtual machine

clip_image001[12]

Virtual machine –> Configuration

  • All items

clip_image001[14]

Virtual machine –> Interaction

  • Power Off
  • Power On
  • Reset
  • Suspend

clip_image001[16]

Virtual machine –> Provisioning

  • Allow disk access
  • Clone virtual machine
  • Customize
  • Deploy template
  • Read customization specifications

clip_image001[18]

Virtual machine –> Snapshot management

  • Create snapshot
  • Remove Snapshot
  • Rename Snapshot
  • Revert to snapshot

clip_image001[20]

Hope this helps anyone out there looking for updated permission settings for configuring the role for the VMware Horizon View 5.2’s vCenter 5.1 service account.

No comments: