Skip to main content

Required Permissions

The VMware vSphere user account that deploys host clusters or private cloud gateways requires all the vSphere privileges listed in the following sections for specific vSphere objects.

Spectro Root Role Privileges

A Spectro root role must be created that contains each privilege in the following table.

Select the tab for the vSphere version you are using to view the required privileges.

info

The System.* privileges are added to all custom vSphere roles by default.

CategoryPrivileges
CNSSearchable
DatastoreBrowse datastore
HostConfiguration: Storage partition configuration
NetworkAssign network
SessionsValidate session
Storage ViewsView
SystemAnonymous
Read
View
VM Storage PoliciesView VM storage policies
vSphere TaggingCreate vSphere Tag
Edit vSphere Tag
Click here to view the raw API permission
  • Cns.Searchable
  • Datastore.Browse
  • Host.Config.Storage
  • InventoryService.Tagging.CreateTag
  • InventoryService.Tagging.EditTag
  • Network.Assign
  • Sessions.ValidateSession
  • StorageProfile.View
  • StorageViews.View
  • System.Anonymous
  • System.Read
  • System.View

Spectro Root Role Assignments

The privileges associated with the Spectro root role must be granted via role assignments on specific vSphere objects for either the user or a group containing the user. Review the required role assignments to ensure that your user has all required privileges on all required objects.

info

Propegation refers to the inheritance of permissions from a parent vSphere object to a child object. If a permission is propagated to a child object, the child object inherits the permission from the parent object.

vSphere ObjectPropagationRoleCondition
vCenter RootNoSpectro root role
Target DatacenterNoSpectro root role
Target ClusterNoSpectro root role
Distributed SwitchNoSpectro root roleIf the Target Network is a Distributed Port Group

Spectro Role Privileges

A Spectro role must be created that contains each privilege in the following table.

Select the tab for the vSphere version you are using to view the required privileges.

CategoryPrivileges
CNSSearchable
DatastoreAllocate space
Browse datastore
Low level file operations
Remove file
Update virtual machine files
Update virtual machine metadata
FolderCreate folder
Delete folder
Move folder
Rename folder
Host Local OperationsReconfigure virtual machine
NetworkAssign network
ResourceApply recommendation
Assign virtual machine to resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Query vMotion
SessionsValidate session
Storage ViewsView
SystemAnonymous
Read
View
TasksCreate task
Update task
vAppImport
View OVF environment
vApp application configuration
vApp instance configuration
VM Storage PoliciesView VM storage policies
vSANCluster: ShallowRekey
vSphere TaggingAssign or Unassign vSphere Tag
Create vSphere Tag
Delete vSphere Tag
Edit vSphere Tag

The following table lists Spectro role privileges for VMs by category. All privileges are for the vSphere object, Virtual Machines.

CategoryPrivileges
Change ConfigurationAcquire disk lease
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change memory
Change settings
Change swapfile placement
Change resource
Configure host USB device
Configure raw device
Configure managedBy
Display connection settings
Extend virtual disk
Modify device settings
Query fault tolerance compatibility
Query unowned files
Reload from path
Remove disk
Rename
Reset guest information
Set annotation
Toggle disk change tracking
Toggle fork parent
Upgrade virtual machine compatibility
Edit InventoryCreate from existing
Create new
Move
Register
Remove
Unregister
Guest OperationsGuest operation alias modification
Guest operation alias query
Guest operation modifications
Guest operation program execution
Guest operation queries
InteractionConsole interaction
Power on
Power off
ProvisioningAllow disk access
Allow file access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload
Clone template
Clone virtual machine
Create template from virtual machine
Customize guest
Deploy template
Mark as template
Mark as virtual machine
Modify customization specification
Promote disks
Read customization specifications
Service ConfigurationAllow notifications
Allow polling of global event notifications
Manage service configurations
Modify service configuration
Query service configurations
Read service configuration
Snapshot ManagementCreate snapshot
Remove snapshot
Rename snapshot
Revert to snapshot
vSphere ReplicationConfigure replication
Manage replication
Monitor replication
Click here to view the raw API permission
  • Cns.Searchable
  • Datastore.AllocateSpace
  • Datastore.Browse
  • Datastore.DeleteFile
  • Datastore.FileManagement
  • Datastore.UpdateVirtualMachineFiles
  • Datastore.UpdateVirtualMachineMetadata
  • Folder.Create
  • Folder.Delete
  • Folder.Move
  • Folder.Rename
  • Host.Local.ReconfigVM
  • InventoryService.Tagging.AttachTag
  • InventoryService.Tagging.CreateTag
  • InventoryService.Tagging.DeleteTag
  • InventoryService.Tagging.EditTag
  • Network.Assign
  • Resource.ApplyRecommendation
  • Resource.AssignVMToPool
  • Resource.ColdMigrate
  • Resource.HotMigrate
  • Resource.QueryVMotion
  • Sessions.ValidateSession
  • StorageProfile.View
  • StorageViews.View
  • System.Anonymous
  • System.Read
  • System.View
  • Task.Create
  • Task.Update
  • VApp.ApplicationConfig
  • VApp.ExtractOvfEnvironment
  • VApp.Import
  • VApp.InstanceConfig
  • VirtualMachine.Config.AddExistingDisk
  • VirtualMachine.Config.AddNewDisk
  • VirtualMachine.Config.AddRemoveDevice
  • VirtualMachine.Config.AdvancedConfig
  • VirtualMachine.Config.Annotation
  • VirtualMachine.Config.CPUCount
  • VirtualMachine.Config.ChangeTracking
  • VirtualMachine.Config.DiskExtend
  • VirtualMachine.Config.DiskLease
  • VirtualMachine.Config.EditDevice
  • VirtualMachine.Config.HostUSBDevice
  • VirtualMachine.Config.ManagedBy
  • VirtualMachine.Config.Memory
  • VirtualMachine.Config.MksControl
  • VirtualMachine.Config.QueryFTCompatibility
  • VirtualMachine.Config.QueryUnownedFiles
  • VirtualMachine.Config.RawDevice
  • VirtualMachine.Config.ReloadFromPath
  • VirtualMachine.Config.RemoveDisk
  • VirtualMachine.Config.Rename
  • VirtualMachine.Config.ResetGuestInfo
  • VirtualMachine.Config.Resource
  • VirtualMachine.Config.Settings
  • VirtualMachine.Config.SwapPlacement
  • VirtualMachine.Config.ToggleForkParent
  • VirtualMachine.Config.UpgradeVirtualHardware
  • VirtualMachine.GuestOperations.Execute
  • VirtualMachine.GuestOperations.Modify
  • VirtualMachine.GuestOperations.ModifyAliases
  • VirtualMachine.GuestOperations.Query
  • VirtualMachine.GuestOperations.QueryAliases
  • VirtualMachine.Hbr.ConfigureReplication
  • VirtualMachine.Hbr.MonitorReplication
  • VirtualMachine.Hbr.ReplicaManagement
  • VirtualMachine.Interact.ConsoleInteract
  • VirtualMachine.Interact.PowerOff
  • VirtualMachine.Interact.PowerOn
  • VirtualMachine.Inventory.Create
  • VirtualMachine.Inventory.CreateFromExisting
  • VirtualMachine.Inventory.Delete
  • VirtualMachine.Inventory.Move
  • VirtualMachine.Inventory.Register
  • VirtualMachine.Inventory.Unregister
  • VirtualMachine.Namespace.Event
  • VirtualMachine.Namespace.EventNotify
  • VirtualMachine.Namespace.Management
  • VirtualMachine.Namespace.ModifyContent
  • VirtualMachine.Namespace.Query
  • VirtualMachine.Namespace.ReadContent
  • VirtualMachine.Provisioning.Clone
  • VirtualMachine.Provisioning.CloneTemplate
  • VirtualMachine.Provisioning.CreateTemplateFromVM
  • VirtualMachine.Provisioning.Customize
  • VirtualMachine.Provisioning.DeployTemplate
  • VirtualMachine.Provisioning.DiskRandomAccess
  • VirtualMachine.Provisioning.DiskRandomRead
  • VirtualMachine.Provisioning.FileRandomAccess
  • VirtualMachine.Provisioning.GetVmFiles
  • VirtualMachine.Provisioning.MarkAsTemplate
  • VirtualMachine.Provisioning.MarkAsVM
  • VirtualMachine.Provisioning.ModifyCustSpecs
  • VirtualMachine.Provisioning.PromoteDisks
  • VirtualMachine.Provisioning.PutVmFiles
  • VirtualMachine.Provisioning.ReadCustSpecs
  • VirtualMachine.State.CreateSnapshot
  • VirtualMachine.State.RemoveSnapshot
  • VirtualMachine.State.RenameSnapshot
  • VirtualMachine.State.RevertToSnapshot
  • Vsan.Cluster.ShallowRekey
info

The System.* privileges are added to all custom vSphere roles by default.

Spectro Role Assignments

The privileges associated with the Spectro role must be granted via role assignments on specific vSphere objects for either the user or a group containing the user. Review the required role assignments to ensure that your user has all required privileges on all required objects.

vSphere ObjectPropagationRoleCondition
Target NetworkYesSpectro role
Target ClusterNoSpectro roleRequired if using a cluster's default Resources resource pool.
Target Resource PoolYesSpectro roleRequired if using a non-default resource pool.
All ESXi hosts within the Target ClusterNoSpectro role
Target DatastoreYesSpectro role
spectro-templates FolderYesSpectro roleMust be manually created in advance, assigned permissions, and populated with Spectro Cloud VM Templates.
Target VM FolderYesSpectro roleFor air-gapped installs, it must be manually created in advance and permissions assigned. For connected installs it is created automatically.