posted

3 Comments

This was a recent question that was asked internally about the minimum privileges required to query VIBs on an ESXi host. The request was for a custom script that was developed for compliance check and the customer was looking to create a custom vSphere role to minimize the privileges needed to perform the task. Since I did not know the answer, it was off to the lab for some testing. Through the process of elimination, it turns out the only privilege that is required for querying VIBs on an ESXi host is Global.Settings.

In the example above, I created a custom vCenter Server Role called VIBQuery and enabled the Global.Settings privilege and assigned the role to a user. The custom role can be created on both a vCenter Server as well as directly on an ESXi host. By using vCenter Server, one can benefit from centralize management of user access to all ESXi hosts in the environment.

To confirm that our user assigned to the new role can query VIBs on an ESXi host, we will  run the following ESXCLI command:

We can also confirm that we can do the same directly on the ESXi host by running the following ESXCLI command:

When granting access to your vSphere infrastructure, you should always use good security practices by leveraging RBAC model (Role-Base Access Control) and restrict the amount permission a user has access to.

UPDATE: In addition to using ESXCLI, there are two additional options to query installed VIBs on an ESXi host as noted by the comment below by Mike.

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

About the Author

William Lam

William Lam is currently a Staff Solutions Architect in the VMware Cloud on AWS team within the Cloud Platform Business Unit (CPBU) at VMware. He primarily focus on Automation, Integration and Operation of our Software Defined Datacenter (SDDC). One of his core responsibilities is driving VMC’s Customer[0] initiative and help provide early feedback on the usability, design and architecture of new VMC features and capabilities. He works closely with Engineering & Product Management on developing new ideas and integrations for VMC. Lastly, through customer interactions and feedback he continues to help champion their challenges and needs to help further improve our products and services.