Documentation forVirtualization Manager

Required permissions for VMware, Hyper-V, and Nutanix credentials in VMAN

To monitor virtual objects in VMAN, your credentials must have the correct permissions for any object or metric you wish to monitor. In general, VMAN will be able to monitor objects and metrics that match the permission level of your credential.

See the following section for basic minimum permissions required for VMAN for monitoring VMware, Hyper-V, and Nutanix environments.

For more detailed information regarding the minimum permissions required for each specific feature in VMAN, see the sections for detailed permissions levels:

ESX host monitoring and management

VMware vCenter device monitoring and management

Hyper-V device monitoring and management

Nutanix device monitoring and management

Basic minimum permissions required for VMAN

This table highlights the minimum required permissions for VMware and Hyper-V monitoring:

VMware

The VMware user account needs the following permissions:

  • For data collection, at least Read-Only permissions for the host and VMs you want to monitor
  • For datastore collection, the Browse Datastore permission
Hyper-V

The Hyper-V account used for data collection must have the Enable Account and Remote Enable permissions.

For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control.

Nutanix

There are two types of Nutanix credentials required for monitoring in VMAN.

 

Nutanix API credentials

For monitoring up/down status and metrics (CPU usage, memory usage, etc.) polling for Nutanix clusters and AHV hosts, you need Nutanix API credentials. No special permissions for API credentials are needed.

You can create API credentials when you add a Nutanix cluster for monitoring.

 

Nutanix CVM credentials

For monitoring hardware health of Nutanix clusters and AHV hosts, you need to create and assign Nutanix CVM credentials with the following permission to a Nutanix cluster:

 

Detailed permission levels and requirements for monitoring and managing ESX hosts

For users with an Administrator role, all privileges and features will be available. However, when you use a built-in Read Only role provided by VMware, you will need to add additional privileges to perform certain operations. This table shows you what level role you need to provide to enable specific features in VMAN:

 

Read Only Role

Read All Role Full Orion Role Administrator Role
Environment / Infrastructure statistic data
Chargeback
Storage tab
Sprawl page limited*
Datastore Files (Orphan VMDKs)
Management Actions - Interact + Config
Recommendations
Hardware Health Data**
Capacity Planning ***

* Management actions are not available on the Sprawl page, and the Orphaned VMDKs widget will be empty.

** There is a limitation on the VMware side that blocks polling of CIM data on custom roles. CIM data are available only for the Administrator role or for vCenters.

*** Capacity planning is supported only for Clusters. Clusters can be created only with vCenter.

 

Full Orion Permissions

With a full Orion role, VMAN can interact with VMs and Datastores via Management Actions. A full Orion role is not a built-in VMware role but rather a SolarWinds recommended custom ESXi role that allows for the VMAN functionality depicted in the table above. To equal a full Orion role, the following Virtual Machine permissions must be enabled for the user:

  • PowerOn
  • PowerOff
  • Suspend
  • SuspendToMemory
  • Reset
  • Pause
  • Interact
  • State
  • CreateSnapshot
  • RemoveSnapshot
  • Config
  • CPUCount
  • Memory
  • Inventory
  • Unregister
  • Delete

Detailed permission levels and requirements for VMware vCenter device monitoring and management

For users with an Administrator role, all privileges and features will be available. However, when you use a built-in Read Only role provided by VMware, you will need to add additional privileges to perform certain operations. This table shows you what level role you need to provide to enable specific features in VMAN:

  Read Only Role Read All Role Full Orion Role Administrator Role
Environment / Infrastructure statistic data
Capacity Planning
Chargeback
Storage tab
VMware Events
Hardware Health Data
Sprawl page limited*
Datastore Files (Orphan VMDKs)
Management Actions - Interact + Config
Recommendations

* Management actions are not available on the Sprawl page, and the Orphaned VMDKs widget will be empty.

 

Full Orion Role permissions

With a full Orion role, VMAN can interact with VMs and Datastores via Management Actions. A full Orion role is not a built-in VMware role but rather a SolarWinds recommended custom vCenter role that allows for the VMAN functionality depicted in the table above. To equal a full Orion role, the following permissions must be enabled for the user:

Datastore

  • Allocate space
  • Browse datastore

Resource

  • Migrate powered off virtual machine
  • Migrate powered on virtual machine

Virtual Machine

  • Change Configuration
    • Change CPU count
    • Change Memory
  • Edit Inventory
    • Remove
    • Unregister
  • Interaction
    • Power off
    • Power on
    • Reset
    • Suspend
  • Snapshot management
    • Create snapshot
    • Remove snapshot

Detailed permission levels and requirements for Hyper-V device monitoring and management

Standalone Hyper-V hosts

To poll standalone Hyper-V hosts, a WMI user needs the following permissions. Note the permissions listed here for each namespace should be set for that namespace only.

Namespace Permission
root\virtualization Execute Methods, Enable Account, Remote Enable
root\virtualization\v2 Execute Methods, Enable Account, Remote Enable
root\CIMV2 Enable Account, Remote Enable
root Execute Methods, Enable Account, Remote Enable
root\WMI Execute Methods, Enable Account, Remote Enable
root\MSCluster Enable Account, Remote Enable

For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control.

 

Hyper-V cluster polling

For cluster polling, the WMI user needs to be part of a domain group that exists on all clusters and has full cluster rights . You can create a new group or use an existing built-in group.

For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control.

Detailed permission levels and requirements for Nutanix device monitoring and management

Nutanix provides two types of Credentials: API and CVM. API credentials are needed for device monitoring functionality and management actions. CVM Credentials are needed for gathering and viewing Hardware Health Data.

API credentials for data visibility in VMAN

An AHV Nutanix cluster managed by Prism Element can have three roles: Viewer, Cluster Administrator, and User Administrator. For more detailed user permissions Prism Central should be used.

  Viewer Cluster Administrator User Adminstrator
Environment / Infrastructure statistic data
Chargeback
Storage tab
Hardware Health Data CVM

CVM

CVM
Sprawl page limited*
Management Actions - Power on, Power off

* Management actions from the Sprawl page are not supported by VMAN for Nutanix.

 

CVM credential requirement for polling Nutanix Hardware Health

For Nutanix Hardware Health monitoring to work properly in VMAN, the user’s CVM credentials must be set so that the user can perform sudo actions without being asked for the password. Out of the box, the only user that matches this requirement is the default nutanix user. If you wish to use a different user, including root, you must set the correct NOPASSWD permission in your /etc/sudoers file as shown below for the nutanix user:

## Allow root to run any commands anywhere
root ALL=(ALL) ALL
nutanix ALL=(ALL) NOPASSWD: ALL
ngt ALL=(root) NOPASSWD: /home/scripts/configure_cluster_as_ca