In the following the permissions which are needed by a vSphere user to run a successful vSphere/ESX scan with RayVentory are described.
Permissions in VMware
The user needs read permissions on the full object tree. In addition to the read permissions, on the host Port 80 / 443 needs to be open for communcation.
The access is controlled by using user / group permissions with the assigned roles.
Permissions:
A permission consists of a user / group and an assigned role for a specific object like a data center / Cluster / Host.
The role:
The roles are a set of access rights and privileges which can be created and assigned to each role. Multiple privileges can be assigned to each role.
The user:
The users and groups are created through the Windows domain, the Active Directory database, or the ESX / ESXi host. The users are part of the assigning privileges process.
The user will be regularly verified against the domain. This causes a denying or a deletion of all permissions if the username is changed or deleted. If a new user with the same name is created before the verification, the new user will get all the rights of the old user.
Needed Permissions
For a vSphere / ESX scan the system role 'Read only' that grants the following permissions is required:
- The permission to view the state and details of the object.
- The permission to view all the tab panels in the vSphere Client except the Console tab.
- It cannot perform any actions through the menus and toolbars.
- This role is available on the ESX / ESXi and the vCenter Server.
The permissions can be applied by adding the user in the related resource pool or folder.
Reading the license key
If the full license key should be read out, the user need additional rights. For additional rights, the role 'Read only' can be cloned and edited afterwards. Be aware, that the cloned role will not be applied to the the same users / groups and objects.
The additional right to read the key must be selected under Roles -> Global -> Licenses.
Setting the Permissions
The easiest way to set the required permissions is to set the 'Read only' right for the user in the root folder. When the permissions are applied, it is possible to choose if the permissions propagate down the object.
Executed Queries
RayVentory is using the base version 2.00 vSphere SOAP API for the most part, with an additional call per host and cluster to a later API method RetrievePorepertiesEx to retrieve specific additional properties which are not available from the 2.0 API.
These are the Queries which are collecting the data after logon:
Number | Description | Query | Query Target |
1. | A single call to retrieve the ServiceInstance to enable further queries. | GetServiceContent | |
2. | A single call, starting from the root folder and returning all HostSystem, Datacenter, Folder, ComputeResource, and ClusterComputeResource objects (with 2-5 associated property values each) via recursive traversal specifications. | RetrieveProperties |
ComputeResource.host ClusterComputeResource.host Datacenter.hostFolder Datacenter.vmFolder Folder.childEntity |
3. | For each HostSystem returned, an additional RetrieveProperties call, starting from the respective HostSystem object and returning all related VirtualMachine and ResourcePool objects (with 4 associated property values each) via recursive traversal specifications. |
HostSystem.parent ComputeResource.resourcePool ResourcePool.resourcePool ResourcePool.vm |
Comments