Creating a “least privileged” service account for Data Services Manager 2.0.x
Earlier this week, a customer reached out about the installation requirements for Data Services Manager 2.0.x. One of the steps in the installation documentation states the requirement for a vCenter SSO Username. The doc added that this has to be the vCenter server administrator’s SSO username. And even though these SSO admin credentials are not stored, and are in fact discarded after creating a dedicated vCenter service account for VMware Data Services Manager, the customer asked if there was a way to create a “least privileged” user for creating a DSM service account. The answer is yes. This post will show the steps required to create this “least privileged” user for DSM, enabling the DSM plugin to install and operate correctly in vCenter. Two levels of permissions are required. One is a Global Permissions and the other is a permission on the Root Folder of the vCenter server. This post will show how to configure these.
Step 1: Create a new role for the DSM service account
The first step is to create a new role in vCenter which contains the appropriate privileges for the DSM service account. The purpose of a service account is to provide API-based access for certain management tasks. A service account performs get, modify, and delete tasks. To create the role, navigate to the vSphere Client > Administration > Access Control > Roles. Click NEW to create a new role. I called my role svcmgr. This role needs the Service Account Management > Administer (Create/Delete accounts and Reset passwords) privilege as shown below.
Save this role (svcmgr) with the privileges outlined above.
Step 2: Create a new “least privileged” user for DSM
After creating the role, create a new user. I have called this user dsmadmin, and this user will be used to create the service account for DSM. On the administration page of the vSphere Client, under Single Sign On > Users and Groups, click on ADD to create a new user.
Step 3: Assign a Global Permission to user with role
Using the new role and the new user which were created in steps 1 and 2 respectively, proceed with creating a new Global Permission for this user. Global Permissions are found under Access Control. Click on ADD to create a new Global Permission, and in the User/Group field, select the user that was created in step 2, in my case dsmadmin. In the Role field, select the user that was created in step 1, in my case svcmgr. Note that there is no need to propagate this permission to children, so this can be left unchecked. Save the new Global Permission.
Step 4: Grant new user Root Folder Permissions in vCenter
We now come to the second set of permissions for our new user. The user needs to have the predefined Administrator Role applied to the Root Folder of the vCenter. This permission must be propagated to children. This step is done from the vSphere Client. As a user with administrator privileges, login to the vSphere Client, select Permissions, select the DSM user (dsmadmin) and click EDIT on the newly created user. Set the Role to Administrator and ensure that the Propagate to children checkbox is also selected.
And that is it. When installing the DSM plugin, select this user for the SSO admin username:
If this is an SSO domain which traverses many different vCenter servers, such as a VCF environment, you can restrict this user from having any access to other vCenter environments or workload domains, and allow the user to only have access to the environment where you plan to deploy the DSM databases and data services.