VMware vSphere provider privileges

Continuing the discussion from OpenStack provider privileges:

Forking the topic regarding OpenStack privileges. @rpo says that ManageIQ requires admin privileges and visibility of the whole infrastructure. Why is that ? Let me explain…

Many customers are asking me how to limit visibility of their infrastructure to a subset of data-centers/clusters/hosts/datastores. They have only one vSphere environment managing both dev/test/prod and would like to start managing only the dev environment.

So my question is « What is the minimum set of privileges required by ManageIQ to perform its tasks ? ». Or « How do I restrict visibility/control of a provider ? ».

You can in effect do exactly what you describe by creating a user in vSphere that only has privileges to only the portion of the assets wanted. We setup classrooms in this very way where the “student” account only has visibility to a certain host/folder/whatever you want to restrict by.

The second part of the question is: what is the minimal set of privileges that a CloudForms user requires to manage vSphere providers ? I mean does it require administrator privileges on the subset of assets it will manage or can we restrict the privileges ? If so, is there a list of required privileges ?