Bug 1374306 - explicit required permissions for the VMware provider user
Summary: explicit required permissions for the VMware provider user
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.6.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: GA
: 5.7.0
Assignee: Red Hat CloudForms Documentation
QA Contact: Red Hat CloudForms Documentation
URL:
Whiteboard: doc
Depends On:
Blocks: 1511957
TreeView+ depends on / blocked
 
Reported: 2016-09-08 12:17 UTC by Colin Arnott
Modified: 2020-09-10 09:47 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-04 04:42:19 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)

Description Colin Arnott 2016-09-08 12:17:19 UTC
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_a_vmware_vcenter_provider

Section Number and Name: 
1.4.1.7

Describe the issue: 
The VMware provider currently requires the VMware vCenter administrative user, my security standards prevent me from giving cart blanch access to my VMware environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my VMware environment. 

Suggestions for improvement: 
Add a section indicating required permissions for the VMware provider.

Additional information:

Comment 2 Colin Arnott 2016-09-08 12:20:06 UTC
Sorry, I missed the section name

Section Number and Name: 
1.4.1.7 Adding a VMware vCenter Provider: login credentials

Comment 6 Andrew Dahms 2016-10-31 01:07:15 UTC
Moving to the default assignee for triage.

Raising needinfo against Adam for comment #5.

Comment 7 Adam Grare 2016-11-01 14:22:19 UTC
There is a section in the documentation (1.4.2.1. Using a Non-Administrator Account for Host Credentials) that says specifically it is for VMware Hosts but it looks like it'd be a good starting point for VC credentials as well.

We can go through all the API calls we use and check the SDK docs for required permissions but this will take a bit of time.

Comment 11 Andrew Dahms 2018-04-04 04:42:19 UTC
Thank you for raising this bug.

After further discussion with the program team, we have been given the advice not to document specific permissions for service accounts at this time based on the following article -

http://cloudformsblog.redhat.com/2017/08/16/security-management-operations/

As such, I will be closing this bug for now, but we can re-investigate this request again in the future if required.


Note You need to log in before you can comment on or make changes to this bug.