Manually Create a User Account for the Operations User
When you deploy a VCH, the user account that you specify as the operations user must have the correct privileges to allow the VCH to perform post-deployment operations. vSphere Integrated Containers Engine provides a mechanism to automatically assign the necessary permissions to the operations user account, but you can also choose to create the user account manually in vSphere. To do so, you create roles, assign privileges to those roles, and assign the roles to the user account to use as the operations user.
- For information about how to create vSphere roles, see vSphere Permissions and User Management Tasks in the vSphere documentation.
- For information about how to assign permissions to objects in the vSphere Inventory, see Add a Permission to an Inventory Object in the vSphere documentation.
Prerequisite
Log into the Flex-based vSphere Web Client with a vSphere administrator account. You cannot use the HTML5 vSphere Client to create user accounts.
Procedure
In the vSphere Web Client, create a user group, for example
VIC Ops Users, and add the appropriate user accounts to the user group.The best practice when assigning roles in vSphere is to assign the roles to user groups and then to add users to those groups, rather than assigning roles to the users directly.
Go to Administration > Roles and create one role for each type of inventory object that VCHs need to access.
It is possible to create a single role, but by creating multiple roles you keep the privileges of the VCH as granular as possible.
Role to Create Required Permissions VCH - vcenterDatastore > Configure datastore VCH - datacenterDatastore > Configure datastore
Datastore > Low level file operations
VirtualMachine > Configuration > Add existing disk
VirtualMachine > Configuration > Add new disk
VirtualMachine > Configuration > Advanced
VirtualMachine > Configuration > Remove disk
VirtualMachine > Inventory > Create new
VirtualMachine > Inventory > RemoveVCH - datastoreDatastore > AllocateSpace
Datastore > Browse datastore
Datastore > Configure datastore
Datastore > Remove file
Datastore > Low level file operations
Host > Configuration > System managementVCH - networkNetwork > Assign network VCH - endpointdvPort group > Modify
dvPort group > Policy operation
dvPort group > Scope operation
Global > Enable methods
Global > Disable methods
Resource > Assign virtual machine to resource pool
VirtualMachine > Configuration > Add existing disk
VirtualMachine > Configuration > Add new disk
VirtualMachine > Configuration > Add or remove device
VirtualMachine > Configuration > Advanced
VirtualMachine > Configuration > Modify device settings
VirtualMachine > Configuration > Remove disk
VirtualMachine > Configuration > Rename
VirtualMachine > Guest operations > Guest operation program execution
VirtualMachine > Interaction > Device connection
VirtualMachine > Interaction > Power off
VirtualMachine > Interaction > Power on
VirtualMachine > Inventory > Create new
VirtualMachine > Inventory > Remove
VirtualMachine > Inventory > Register
VirtualMachine > Inventory > UnregisterIn each of the Hosts and Clusters, Storage, and Networking views, select inventory objects and assign the user group and the appropriate role to each one.
- Right-click an inventory object and select Add Permission.
- Under Users and Groups, select the operations user group that you created.
- Under Assigned Role, assign the appropriate role for each type of inventory object and select the Propagate to children check box where necessary.
The following table lists which roles to assign to which type of inventory object, and whether or not to propagate the role.
| Inventory Object | Role to Assign | Propagate? |
|---|---|---|
| Top-level vCenter Server instance | VCH - vcenter |
No |
| Datacenters | VCH - datacenter |
Yes, if vSphere Distributed Switches are not in network folders. No, if you use network folders. See About vSphere Distributed Switches below |
| Clusters. All datastores in the cluster inherit permissions from the cluster. | VCH - datastore |
Yes |
| Standalone VMware vSAN datastores | VCH - datastore |
No |
| Standalone datastores | VCH - datastore |
No |
| Network folders | Read-only |
Yes, if used. See About vSphere Distributed Switches below |
| Port groups | VCH - network |
No |
| Resource pools for VCHs | VCH - endpoint |
Yes |
About vSphere Distributed Switches
The operations user account must have the Read-only role on all of the vSphere Distributed Switches that VCHs use. You can assign this role to switches in either of the following ways:
- If you do not place the switches in network folders, enable propagation of the
VCH - datacenterrole on datacenters. - If you place the switches in network folders, assign the
Read-onlyrole to the network folders, and enable propagation. In this case, you must still assign theVCH - datacenterrole to datacenters, but you do not need to enable propagation.
What to Do Next
You can use the user accounts in the user group that you created as operations users for VCHs. When you deploy VCHs you do not need to select the option to grant all necessary permissions in the Create Virtual Container Host wizard, or specify --ops-grant-perms in vic-machine create commands.