Minimum root Permissions for VM Automatic Start up

A question that comes up on VMware’s forums occasionally is about the ESXi root account and the possibility of deleting the account. The account should not be deleted, but it is possible to remove the account from the Administrator role that it is granted at the host level. That prevents the root account from being used to make a connection with the vSphere client or other vSphere API methods. With the administrator role revoked, the root account can still login at the DCUI.

If the Administrator role is removed from the root account, this prevents virtual machines from starting that have been configured to start with automatically in Configuration > Virtual Machine Startup/Shutdown. To enable automatic start, create a new role with the following two permissions:

 Host > Configuration > Virtual machine autostart configuration
 Virtual Machine > Interaction > Power On

The root account should be assigned this new role at the host level.

When I was trying to determine the required permissions for this, I started with a role that just had the Power On permission. I used vim-cmd in Tech Support Mode to test the role as shown in the following output. With just the Power On permission the command failed with the error shown.

~ # vim-cmd hostsvc/autostartmanager/autostart
 (vim.fault.NoPermission) {
 dynamicType = ,
 faultCause = (vmodl.MethodFault) null,
 object = 'vim.host.AutoStartManager:ha-autostart-mgr',
 privilegeId = "Host.Config.AutoStart",
 msg = "Permission to perform this operation was denied.",
 }
 ~ # Host.Config.AutoStart

To determine which permission corresponded with the privilegeId of Host.Config.AutoStart I ran the following PowerCLI cmd-let on the Administrator role (which I assume is granted all privileges on a stand alone host. The output of that command is shown below.

Get-VIPrivilege -Role “Admin”

DescriptionId
The only privilege held by sessions which have not logged inSystem.Anonymous
Visibility without read access to an entity. This is assigned implicitly by the system, if read privileges are assigned at lower levels in the inventorySystem.View
Grants read access to an entitySystem.Read
Add, remove, and rename custom attribute definitionsGlobal.ManageCustomFields
Set the value of a custom attribute on an objectGlobal.SetCustomField
Log a user-defined event on an objectGlobal.LogEvent
Cancel a running taskGlobal.CancelTask
Manage licensesGlobal.Licenses
Export diagnostic dataGlobal.Diagnostics
Edit global settingsGlobal.Settings
Act as the vCenter ServerGlobal.VCServer
Discover and convert physical host to virtual machineGlobal.CapacityPlanning
Schedule an external script actionGlobal.ScriptAction
Add or remove endpoints to or from the proxyGlobal.Proxy
Operations are disabled in vCenterGlobal.DisableMethods
Operations are enabled in vCenterGlobal.EnableMethods
Access the directory serviceGlobal.ServiceManagers
Access the health of vCenter groupGlobal.Health
Add or remove system tagGlobal.SystemTag
Add or remove global tagGlobal.GlobalTag
Create folderFolder.Create
Delete folderFolder.Delete
Rename folderFolder.Rename
Move folderFolder.Move
Create a datacenterDatacenter.Create
Remove a datacenterDatacenter.Delete
Rename a datacenterDatacenter.Rename
Move a datacenterDatacenter.Move
Configure IP pool on a datacenterDatacenter.IpPoolConfig
Rename a datastoreDatastore.Rename
Move a datastoreDatastore.Move
Remove a datastore from the datacenterDatastore.Delete
Browse a datastoreDatastore.Browse
Remove a file from a datastoreDatastore.DeleteFile
Perform low level file operations on a datastoreDatastore.FileManagement
Allocate space on a datastoreDatastore.AllocateSpace
Configure a datastoreDatastore.Config
Update virtual machine files on a datastoreDatastore.UpdateVirtualMachineFiles
Move a networkNetwork.Move
Remove a networkNetwork.Delete
Configure a networkNetwork.Config
Assign network to virtual machine, host service console, VMkernel virtual NIC or physical NICNetwork.Assign
Create a vNetwork Distributed SwitchDVSwitch.Create
Change the configuration of a vNetwork Distributed SwitchDVSwitch.Modify
Change the host member of a vNetwork Distributed SwitchDVSwitch.HostOp
Change the policy of a vNetwork Distributed SwitchDVSwitch.PolicyOp
Change the configuration of a port in a vNetwork Distributed SwitchDVSwitch.PortConfig
Change the setting of a port in a vNetwork Distributed SwitchDVSwitch.PortSetting
Delete a vNetwork Distributed SwitchDVSwitch.Delete
Move a vNetwork Distributed Switch into another folderDVSwitch.Move
Change the VSPAN configuration of a vNetwork Distributed SwitchDVSwitch.Vspan
Add or update network I/O control resource poolsDVSwitch.ResourceManagement
Create a dvPort groupDVPortgroup.Create
Modify the configuration of a dvPort groupDVPortgroup.Modify
Set the policy of a dvPort groupDVPortgroup.PolicyOp
Set the scope of a dvPort groupDVPortgroup.ScopeOp
Delete a dvPort groupDVPortgroup.Delete
Add a standalone hostHost.Inventory.AddStandaloneHost
Create a cluster along with its initial specificationHost.Inventory.CreateCluster
Add a host to a clusterHost.Inventory.AddHostToCluster
Remove a hostHost.Inventory.RemoveHostFromCluster
Move a cluster or standalone hostHost.Inventory.MoveCluster
Rename clusterHost.Inventory.RenameCluster
Remove a cluster or standalone hostHost.Inventory.DeleteCluster
Modify a cluster’s specificationHost.Inventory.EditCluster
Move a host between clustersHost.Inventory.MoveHost
Configure authentication storesHost.Config.AuthenticationStore
Remote file management and CIM read/write accessHost.Config.SystemManagement
Connect or disconnect a hostHost.Config.Connection
Enable and disable maintenance modeHost.Config.Maintenance
Virtual machine autostart configurationHost.Config.AutoStart
Enable/disable hyperthreadingHost.Config.HyperThreading
Storage, host datastore, and diagnostic partition configurationHost.Config.Storage
Configure internet services and firewallHost.Config.NetService
Service console memory reservationHost.Config.Memory
Network configurationHost.Config.Network
Modify advanced settings for the hostHost.Config.AdvancedConfig
Modify system resource settingsHost.Config.Resources
Modify SNMP settingsHost.Config.Snmp
Change date and time settings for the hostHost.Config.DateTime
Change PciPassthru settings for the hostHost.Config.PciPassthru
Change host settingsHost.Config.Settings
Query host patchesHost.Config.Patch
Firmware system operationsHost.Config.Firmware
Power system operationsHost.Config.Power
Bring the host under vCenter managementHost.Local.InstallAgent
User account managementHost.Local.ManageUserGroups
Create a virtual machine without registering itHost.Local.CreateVM
Reconfigure a virtual machineHost.Local.ReconfigVM
Delete an unregistered virtual machineHost.Local.DeleteVM
Establish a remote connection to a CIM interfaceHost.Cim.CimInteraction
Create a new virtual machine or templateVirtualMachine.Inventory.Create
Create a virtual machine based on an existing virtual machine or templateVirtualMachine.Inventory.CreateFromExisting
Add an existing virtual machine to the inventoryVirtualMachine.Inventory.Register
Remove a virtual machineVirtualMachine.Inventory.Delete
Unregister a virtual machineVirtualMachine.Inventory.Unregister
Move a virtual machineVirtualMachine.Inventory.Move
Power On or resume a virtual machineVirtualMachine.Interact.PowerOn
Power Off a virtual machineVirtualMachine.Interact.PowerOff
Suspend a virtual machineVirtualMachine.Interact.Suspend
Reset (power cycle) a virtual machineVirtualMachine.Interact.Reset
Answer a virtual machine run-time questionVirtualMachine.Interact.AnswerQuestion
Interact with the virtual machine consoleVirtualMachine.Interact.ConsoleInteract
Connect/disconnect media and network devicesVirtualMachine.Interact.DeviceConnection
Configure a different media for virtual CD-ROMsVirtualMachine.Interact.SetCDMedia
Configure a different media for virtual floppiesVirtualMachine.Interact.SetFloppyMedia
Install VMware Tools (or mount/unmount the tools installer image)VirtualMachine.Interact.ToolsInstall
Acquire a ticket to connect to a virtual machine guest control service remotelyVirtualMachine.Interact.GuestControl
Defragment all disks on the virtual machineVirtualMachine.Interact.DefragmentAllDisks
Turn On Fault Tolerance for this virtual machineVirtualMachine.Interact.CreateSecondary
Turn Off Fault Tolerance for this virtual machineVirtualMachine.Interact.TurnOffFaultTolerance
Make the Secondary VM the Primary VMVirtualMachine.Interact.MakePrimary
Terminate the Secondary VMVirtualMachine.Interact.TerminateFaultTolerantVM
Disable the Secondary VMVirtualMachine.Interact.DisableSecondary
Enable the Secondary VMVirtualMachine.Interact.EnableSecondary
Record session on a virtual machineVirtualMachine.Interact.Record
Replay session on a virtual machineVirtualMachine.Interact.Replay
Backup operations on a virtual machineVirtualMachine.Interact.Backup
Create a screenshotVirtualMachine.Interact.CreateScreenshot
Rename a virtual machineVirtualMachine.Config.Rename
Browse for and attach an existing virtual diskVirtualMachine.Config.AddExistingDisk
Create and attach a new virtual diskVirtualMachine.Config.AddNewDisk
Detach and optionally remove a virtual diskVirtualMachine.Config.RemoveDisk
Virtual machine raw device configurationVirtualMachine.Config.RawDevice
Add, remove or edit a virtual USB device backed by a host USB deviceVirtualMachine.Config.HostUSBDevice
Change the number of virtual CPUsVirtualMachine.Config.CPUCount
Set the amount of virtual machine memoryVirtualMachine.Config.Memory
Add or remove virtual devicesVirtualMachine.Config.AddRemoveDevice
Modify virtual device settingsVirtualMachine.Config.EditDevice
Change virtual machine settingsVirtualMachine.Config.Settings
Change virtual machine resource allocationsVirtualMachine.Config.Resource
Upgrade virtual hardwareVirtualMachine.Config.UpgradeVirtualHardware
Reset guest information variablesVirtualMachine.Config.ResetGuestInfo
Make advanced configuration changesVirtualMachine.Config.AdvancedConfig
Lease disks for disk managerVirtualMachine.Config.DiskLease
Set the placement policy for a single virtual machine’s swapfileVirtualMachine.Config.SwapPlacement
Extend virtual diskVirtualMachine.Config.DiskExtend
Enable or disable change tracking for the virtual machine’s disksVirtualMachine.Config.ChangeTracking
Unlock an encrypted virtual machineVirtualMachine.Config.Unlock
Query unowned filesVirtualMachine.Config.QueryUnownedFiles
Reload Virtual Machine from new configuration pathVirtualMachine.Config.ReloadFromPath
Check if a virtual machine is compatible for Fault ToleranceVirtualMachine.Config.QueryFTCompatibility
Create a snapshotVirtualMachine.State.CreateSnapshot
Make a snapshot currentVirtualMachine.State.RevertToSnapshot
Remove a snapshotVirtualMachine.State.RemoveSnapshot
Rename a snapshotVirtualMachine.State.RenameSnapshot
Customize a virtual machine’s guest operating systemVirtualMachine.Provisioning.Customize
Clone a virtual machineVirtualMachine.Provisioning.Clone
Promote a virtual machine’s disksVirtualMachine.Provisioning.PromoteDisks
Create a template from a virtual machineVirtualMachine.Provisioning.CreateTemplateFromVM
Deploy a virtual machine from a templateVirtualMachine.Provisioning.DeployTemplate
Clone a templateVirtualMachine.Provisioning.CloneTemplate
Mark a virtual machine as a templateVirtualMachine.Provisioning.MarkAsTemplate
Mark a template as a virtual machineVirtualMachine.Provisioning.MarkAsVM
Read customization specificationsVirtualMachine.Provisioning.ReadCustSpecs
Create, edit or delete customization specificationsVirtualMachine.Provisioning.ModifyCustSpecs
Allow random access to disk files through a separate NFC connectionVirtualMachine.Provisioning.DiskRandomAccess
Allow read-only random access to disk files through a separate NFC connectionVirtualMachine.Provisioning.DiskRandomRead
Allow download of virtual machines (used by provisioning operations)VirtualMachine.Provisioning.GetVmFiles
Allow upload of virtual machine (used by provisioning operations)VirtualMachine.Provisioning.PutVmFiles
Query virtual rights management policyVRMPolicy.Query
Update virtual rights management policyVRMPolicy.Update
Assign a virtual machine to a resource poolResource.AssignVMToPool
Assign a vApp to a resource poolResource.AssignVAppToPool
Apply a DRS vMotion recommendationResource.ApplyRecommendation
Create a resource poolResource.CreatePool
Rename a resource poolResource.RenamePool
Modify a resource poolResource.EditPool
Move a resource poolResource.MovePool
Remove a resource poolResource.DeletePool
Migrate a powered on virtual machineResource.HotMigrate
Relocate a powered off virtual machineResource.ColdMigrate
Query vMotion compatibility of a set of hostsResource.QueryVMotion
Create an alarmAlarm.Create
Remove an alarmAlarm.Delete
Modify an alarmAlarm.Edit
Acknowledge an alarmAlarm.Acknowledge
Set status for an alarmAlarm.SetStatus
Disable actions for an alarmAlarm.DisableActions
Create a taskTask.Create
Update a taskTask.Update
Create a scheduled taskScheduledTask.Create
Remove a scheduled taskScheduledTask.Delete
Run a scheduled task immediatelyScheduledTask.Run
Edit a scheduled taskScheduledTask.Edit
Monitor who is logged in and stop sessionsSessions.TerminateSession
Verify session validitySessions.ValidateSession
Modify the message (seen by all users when logging in)Sessions.GlobalMessage
Impersonate usersSessions.ImpersonateUser
Modify historical intervalsPerformance.ModifyIntervals
Modify a role’s name or privilegesAuthorization.ModifyRoles
Reassign the permissions of one role to anotherAuthorization.ReassignRolePermissions
Modify a permission’s role or propagationAuthorization.ModifyPermissions
Register extensionsExtension.Register
Update extensionsExtension.Update
Unregister extensionsExtension.Unregister
Edit vApp resource configurationVApp.ResourceConfig
Edit vApp instance configuration, such as policies and property valuesVApp.InstanceConfig
Edit vApp application configuration, such as product infoVApp.ApplicationConfig
Export vAppVApp.Export
Import vAppVApp.Import
View the OVF environment for a virtual machineVApp.ExtractOvfEnvironment
Add a virtual machine to the vAppVApp.AssignVM
Assign resource pool to vAppVApp.AssignResourcePool
Assign a vApp to another vAppVApp.AssignVApp
Clone a vAppVApp.Clone
Create a new vAppVApp.Create
Delete a vAppVApp.Delete
Unregister a vAppVApp.Unregister
Move a vAppVApp.Move
Power On a vAppVApp.PowerOn
Power Off a vAppVApp.PowerOff
Suspend a vAppVApp.Suspend
Rename a vAppVApp.Rename
Create a host profileProfile.Create
Delete a host profileProfile.Delete
Edit a host profileProfile.Edit
View a host profileProfile.View
Clear host profile related informationProfile.Clear
Export a host profileProfile.Export

Leave a Comment

Your email address will not be published.