1 Reply Latest reply on Aug 13, 2012 3:57 PM by witchbutter

    ESXi polling with SAM/NPM least privelege

    witchbutter

      The only way I am able to get "VMWare Polling Settings" to return any data from the VMWare API is to use the root account for hosts run ESXi 5.  Is this wise?  Is there a least privelege guideline here?

       

      How would one go about creating a separate user account, whether local or Active Directory to provide enough access to read relevant data?  I have followed the guidelines in the SAM manual such that VMWare Hardware monitoring is enabled and Port 5989 for CIM Secure Server is open, however no local account I create will pass the "Poll for VMWare" test.  Is this a situation where specific vmware role needs to be assigned in order to poll?  It is not sufficient to be in the root group.

        • Re: ESXi polling with SAM/NPM least privelege
          witchbutter

          A little tinkering has answered my question:

          In my case I created a local account called Monitor.  The UID does not matter.

          I added Monitor to the root group with no shell access.  SSH is turned off in our environment anyway.

          The issue is that when you create a new local account it has no role.  For solarwinds the role Read-Only is providing me all the data I need.

          Do this via the vCLI.  This is the command:

          vicfg-user.pl --server esxiserver.yourdomain.com --username root --protocol HTTPS --entity user --login Monitor --operation modify --role read-only