Required permissions for VMware, Hyper-V, and Nutanix credentials in VMAN
To monitor virtual objects in VMAN, your credentials must have the correct permissions for any object or metric you wish to monitor. In general, VMAN will be able to monitor objects and metrics that match the permission level of your credential.
See the following section for basic minimum permissions required for VMAN for monitoring VMware, Hyper-V, and Nutanix environments.
For more detailed information regarding the minimum permissions required for each specific feature in VMAN, see the sections for detailed permissions levels:
ESX host monitoring and management
VMware vCenter device monitoring and management
Hyper-V device monitoring and management
Nutanix device monitoring and management
Basic minimum permissions required for VMAN
This table highlights the minimum required permissions for VMware and Hyper-V monitoring:
VMware |
The VMware user account needs the following permissions:
|
Hyper-V |
The Hyper-V account used for data collection must have the Enable Account and Remote Enable permissions. For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control. |
Nutanix |
There are two types of Nutanix credentials required for monitoring in VMAN. Nutanix API credentials For monitoring up/down status and metrics (CPU usage, memory usage, etc.) polling for Nutanix clusters and AHV hosts, you need Nutanix API credentials. No special permissions for API credentials are needed. You can create API credentials when you add a Nutanix cluster for monitoring. Nutanix CVM credentials For monitoring hardware health of Nutanix clusters and AHV hosts, you need to create and assign Nutanix CVM credentials with the following permission to a Nutanix cluster:
|
Detailed permission levels and requirements for monitoring and managing ESX hosts
For users with an Administrator role, all privileges and features will be available. However, when you use a built-in Read Only role provided by VMware, you will need to add additional privileges to perform certain operations. This table shows you what level role you need to provide to enable specific features in VMAN:
Read Only Role |
Read All Role | Full Orion Role | Administrator Role | |
---|---|---|---|---|
Environment / Infrastructure statistic data | ||||
Chargeback | ||||
Storage tab | ||||
Sprawl page limited* | ||||
Datastore Files (Orphan VMDKs) | ||||
Management Actions - Interact + Config | ||||
Recommendations | ||||
Hardware Health Data** | ||||
Capacity Planning *** |
* Management actions are not available on the Sprawl page, and the Orphaned VMDKs widget will be empty.
** There is a limitation on the VMware side that blocks polling of CIM data on custom roles. CIM data are available only for the Administrator role or for vCenters.
*** Capacity planning is supported only for Clusters. Clusters can be created only with vCenter.
With a full Orion role, VMAN can interact with VMs and Datastores via Management Actions. A full Orion role is not a built-in VMware role but rather a SolarWinds recommended custom ESXi role that allows for the VMAN functionality depicted in the table above. To equal a full Orion role, the following Virtual Machine permissions must be enabled for the user:
- PowerOn
- PowerOff
- Suspend
- SuspendToMemory
- Reset
- Pause
- Interact
- State
- CreateSnapshot
- RemoveSnapshot
- Config
- CPUCount
- Memory
- Inventory
- Unregister
- Delete
Detailed permission levels and requirements for VMware vCenter device monitoring and management
For users with an Administrator role, all privileges and features will be available. However, when you use a built-in Read Only role provided by VMware, you will need to add additional privileges to perform certain operations. This table shows you what level role you need to provide to enable specific features in VMAN:
Read Only Role | Read All Role | Full Orion Role | Administrator Role | |
---|---|---|---|---|
Environment / Infrastructure statistic data | ||||
Capacity Planning | ||||
Chargeback | ||||
Storage tab | ||||
VMware Events | ||||
Hardware Health Data | ||||
Sprawl page limited* | ||||
Datastore Files (Orphan VMDKs) | ||||
Management Actions - Interact + Config | ||||
Recommendations |
* Management actions are not available on the Sprawl page, and the Orphaned VMDKs widget will be empty.
With a full Orion role, VMAN can interact with VMs and Datastores via Management Actions. A full Orion role is not a built-in VMware role but rather a SolarWinds recommended custom vCenter role that allows for the VMAN functionality depicted in the table above. To equal a full Orion role, the following permissions must be enabled for the user:
Datastore
- Allocate space
- Browse datastore
Resource
- Migrate powered off virtual machine
- Migrate powered on virtual machine
Virtual Machine
- Change Configuration
- Change CPU count
- Change Memory
- Edit Inventory
- Remove
- Unregister
- Interaction
- Power off
- Power on
- Reset
- Suspend
- Snapshot management
- Create snapshot
- Remove snapshot
Detailed permission levels and requirements for Hyper-V device monitoring and management
Standalone Hyper-V hosts
To poll standalone Hyper-V hosts, a WMI user needs the following permissions. Note the permissions listed here for each namespace should be set for that namespace only.
Namespace | Permission |
---|---|
root\virtualization | Execute Methods, Enable Account, Remote Enable |
root\virtualization\v2 | Execute Methods, Enable Account, Remote Enable |
root\CIMV2 | Enable Account, Remote Enable |
root | Execute Methods, Enable Account, Remote Enable |
root\WMI | Execute Methods, Enable Account, Remote Enable |
root\MSCluster | Enable Account, Remote Enable |
For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control.
Hyper-V cluster polling
For cluster polling, the WMI user needs to be part of a domain group that exists on all clusters and has full cluster rights . You can create a new group or use an existing built-in group.
For more information about enabling account privileges in WMI, see Configuring Distributed Component Object Model and User Account Control.
Detailed permission levels and requirements for Nutanix device monitoring and management
Nutanix provides two types of Credentials: API and CVM. API credentials are needed for device monitoring functionality and management actions. CVM Credentials are needed for gathering and viewing Hardware Health Data.
API credentials for data visibility in VMAN
An AHV Nutanix cluster managed by Prism Element can have three roles: Viewer, Cluster Administrator, and User Administrator. For more detailed user permissions Prism Central should be used.
Viewer | Cluster Administrator | User Adminstrator | |
---|---|---|---|
Environment / Infrastructure statistic data | |||
Chargeback | |||
Storage tab | |||
Hardware Health Data | CVM | CVM | |
Sprawl page limited* | |||
Management Actions - Power on, Power off |
* Management actions from the Sprawl page are not supported by VMAN for Nutanix.
CVM credential requirement for polling Nutanix Hardware Health
For Nutanix Hardware Health monitoring to work properly in VMAN, the user’s CVM credentials must be set so that the user can perform sudo actions without being asked for the password. Out of the box, the only user that matches this requirement is the default nutanix user. If you wish to use a different user, including root, you must set the correct NOPASSWD permission in your /etc/sudoers file as shown below for the nutanix user:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
nutanix ALL=(ALL) NOPASSWD: ALL
ngt ALL=(root) NOPASSWD: /home/scripts/configure_cluster_as_ca