I’ve had a few customers ask me what are the minimum vCenter permissions required to register a VVol VASA provider. The use case is, I want my storage admin to be able to do it, but I don’t want them to do anything else.
While this can be done in a very slick way with vRealize Automation (more on that in a later post), this can be done with standard vCenter permissions too.
The first step is to create a new role with just the permissions you need. So in the vSphere Web Client (I am using the HTML-5 version, but the steps for the Flash one are the same essentially).
Click on Administration and then Roles.
Then click to add a new role. The only two permissions that are needed are under Storage views.
Both permissions are needed, both View and Configure service. The process will fail otherwise.
Finish creating the role.
Once the role is created, you can then assign your user the permission. So take the user you want to assign this ability and grant them the role on the vCenter level. You DO NOT need to grant the permission to children objects (propagate to children). They only need it at the vCenter level and that’s it.
So go to Host and Clusters and click on your vCenter and then the Permissions tab.
Then choose your user and then the role you created.
The role is now assigned at the level (the vCenter) and nowhere else.
Now the storage admin can log in and only register the provider:
Then add the info:
Now, I will note, they will be able to see the other providers and also remove them. I do not see a way to prevent that in vCenter. That, is a use case for vRA and XaaS though