Thursday, April 4, 2013

Permissions required for Citrix XenDesktop 5.6 and VMware vSphere 5.1

As some administrators may have noticed, VMware has made quite a few changes to vSphere 5.1 and I was thrown off by the change to the layout of permissions while I configured the role for the XenDesktop service account because the only documentation available from Citrix that I could find was written for XenDesktop 5 and VMware vSphere 5.  After browsing around the permissions available in vCenter 5.1 the change I noticed was that there is no longer the section Virtual Machine –> State which would explain why when I made the attempt to assign the Create Snapshot, Remove Snapshot, Revert to Snapshot, I couldn’t find it:

http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-vmware-rho.html

image

These permissions in vCenter 5.1 have since been moved to Virtual Machine –> Snapshot management:

image

Here is a screenshot of the old vCenter 5.0 Virtual Machine –> State option:

clip_image002

I think it’s important to note that I ran into the same issue when configuring the permissions for a VMware View 5.1 environment a week ago as VMware hasn’t updated their documentation either.  Seeing how I’ve been doing XenDesktop deployments quite frequently, I thought it would be a good idea to blog the permission settings so I have something to reference to in the future.  Note that the permissions haven’t changed so that much of the following Citrix eDoc still applies:

Using VMware with XenDesktop
http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-vmware-rho.html

Datastore

  • Allocate space
  • Browse datastore
  • Low level file operations

clip_image001

Global

  • Manage custom attributes
  • Set custom attribute

Iclip_image001[4]

Network

  • Assign network

clip_image001[6]

Resource

  • Assign virtual machine to resource pool

clip_image001[12]

Tasks

  • Create task

clip_image001[14]

Virtual machine –> Configuration

  • Add existing disk
  • Add new disk
  • Change CPU count
  • Change resource
  • Memory
  • Remove disk

clip_image001[16]clip_image001[18]

Virtual machine –> Interaction

  • Power Off
  • Power On
  • Reset
  • Suspend

clip_image001[20]clip_image001[22]

Virtual machine –> Inventory

  • Create from existing
  • Create new
  • Register
  • Remove

clip_image001[24]

Virtual machine –> Provisioning

  • Allow disk access
  • Allow virtual machine download
  • Allow virtual machine files upload
  • Clone template
  • Clone virtual machine
  • Deploy template

clip_image001[26]

Virtual machine –> Snapshot management

  • Create snapshot
  • Revert to snapshot

image

Hope this helps anyone out there looking for updated permission settings for configuring the role for the XenDesktop 5.6 service account.

5 comments:

Anonymous said...

I have given my vSphere Role "All Privilages" but I continue to get "Unable to upload disk" errors when creating a Machine Catalog. Are there undocumented Datastore privilages that are required?

Anonymous said...

I am having similar issue with XenDesktop 7. I am using vSphere 5.1 vCenter 5.1 uptodate. User have administrator access to vCentre Server. I can connect and create resource. When i test run it fails with Datastore path not found. When i try create VM using MCS it fails at Preparing VM with unable to upload disk error. Any sggestions.

Cheers,
Ash.

Darren Bennett said...

Ash, you probably worked this our a while ago but just in case....

When you connect to the host infrastructure SDK you have to click all the data stores you intend to use, else you will get the error you have listed when trying to deploy a desktop using a template that resides on a data store you've not selected during that host infrastructure connection.

So go back to XD and edit the host infrastructure connection (you can use "add storage") and ensure ALL available data stores (or at least those you intend on using going forward) are selected.

Anonymous said...

I am having the same issue as Ash, When try to test resources got the error - DataStore path not found.. Any Suggestions..?

Thank you in advance

Anonymous said...

Any chance to set the permissions for the service account in Vsphere not on Datacenter but on folder level?

In order to have a limited view containing the servers relevant for the Citrix sites only?

We tried so but unfortunately without success.
It looked promissing at the beginning as the wizard for creation of new connections runs through.
But afterwards testing the connection or trying to deploy servers with MCS fails.

Thanks for any replies.