Read-Only user in VMWare for ManageIQ



I want to create a service role for ManageIQ on the VMWare Cluster.
I need the role to be a read-only one because we will start to use ManageIQ as a Monitoring and Reporting Platform for our VMWare Infraestructure.
How should i change the permissions in detailed in this thread -> Adding VMware vCenter infra provider to got a role that can do the following:

  • Collect all the posible Metrics (C&U)
  • See all the items on the VMWare Infra and correlate the metrics with them.
  • Be able to do forecast of use
  • The role has to be unable to change, start o stop anything on the VMWare platform.

Can you help me on how to adapt that list of permissions ?



@pablohalamaj it hasn’t been tried but if you don’t need to do operations (e.g. provision a vm, start/stop a vm, retire a vm, etc…) you might be able to get away without things like “Cancel Task”, “Log Event”, “Set custom attribute”, and read-only for everything else.

I would recommend doing it systematically and confirming that the operations you care about still work. If you are able to narrow down the minimal read-only list for something like metrics collection I would love to get that into the docs. Unfortunately we don’t have anything in place to check that we have the required permissions before performing an action or enabling a role so if someone tried to provision a VM it would fail with probably an ugly error message.


And for the record this is the “official” list of permissions:, we technically require an administrative user for the main EMS credentials but the list of host permissions is a pretty good place to start if you want to try to pare that down.