VMware Skyline Log Assist Rights
search cancel

VMware Skyline Log Assist Rights

book

Article ID: 319321

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Symptoms:

For Skyline Log Assist, additional privileges are required to allow for remote support bundle collection. This article will detail the additional privileges required, and the steps to take to grant the additional privileges within each product.
 

VMware vSphere

  • vCenter Server Read-Only
  • RoleGlobal.Diagnostics
  • Global.Health
  • Global.Licenses
  • Global.Settings
  • Host profile.View
  • Storage views.View
If you have ESXi Host Encryption or vSAN Encryption:
  • Cryptographic operations > Direct Access

If you have enabled ESXi Host Encryption, or vSAN Encryption, the Cryptographic operations > Direct Access permission is required to allow the successful transfer of encrypted support bundles. This permission is only required for this reason and is not needed unless you have enabled ESXi Host Encryption, or vSAN Encryption. This permission does not apply to Virtual Machine Encryption.

Also, when Host Profiles are configured in the environment, the Host profile > Edit is required. Skyline will not attempt to make any changes upon the Profiles, but with the current API, Host profile > View only allows to list the Host profile and to review the configuration, Host profiles > Edit is required.

You must assign the required privileges to a user account. Assigning the required privileges to a group and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor.

 

NSX-V (NSX Data Center for vSphere)

  • NSX Administrator Role
     

NSX-T (NSX-T Data Center)

  • NSX Enterprise Administrator Role
  • NSX Auditor + Support Bundle Collector BUT ONLY with NSX-T version 3.2, and above (available only for collectors with version 3.2.0.0 and above)


You must assign the required privileges to a user account. Assigning the required privileges to a group and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor.
 

Horizon

  • Administrator(read-only) Role
  • Collect Operations Log Role

NOTE: Horizon 7 version 7.10, or above, is required to enable Skyline Log Assist to transfer support bundles for Horizon Connection Servers. If you are using a version of Horizon 7 previous to 7.10, Log Assist will not be available to you for Horizon Connection Servers within Skyline Advisor.

You must assign the required privileges to a user account. Assigning the required privileges to a group, and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor.
 

vRealize Operations Manager

  • Log Assist is currently unavailable for vRealize Operations Manager.

 

VMware Cloud Foundation

  • SDDC Manager Admin or SDDC Manager Operator Role

NOTE: The SDDC Manager Viewer Role is insufficient for Log Assist.
 

VRealize Suite Lifecycle Manager Permissions

  • There are no specific permissions required to add vRealize Suite Lifecycle Manager

 

vRealize Automation Permissions

  • vRealize Automation Viewer (Read-Only) Role

 

vRealize Log Insight Permissions

  • vRealize Log Insight View Only Admin Role



Environment

VMware Skyline Collector Appliance 3.x

Resolution

VMware vSphere

Additional privileges beyond are the minimum needed for both the collection of product usage data, and the ability to transfer a support log bundle with Skyline Log Assist.

  • vCenter Server Read-only role

  • Global.Diagnostics

  • Global.Health

  • Global.Licenses

  • Global.Settings

  • Host profile.View

  • Storage views.View

We recommend creating a custom role for Skyline to allow the collection of both product usage data and support log bundles.

Procedure

Follow these steps to create a custom vCenter Server role for Skyline.

  1. Log in to the vSphere Client with a user account with account creation/modification privileges.

  2. From Home page, click Administration.

  3. Under Access Control, click Roles.

  4. Click on the Read-only role within the list of built-in roles, then click the Clone role action button.

  5. Name the role, and provide a description of the role.

  6. Click on the new role you just created, then click the Edit role action button.

  7. Within the Edit Role window, click Global on the left-hand side.

  8. Select the following Global privileges: Diagnostics, Health, Licenses and Settings and Host profile.View

  9. Click Next. If you choose, you can update the name, or description, of the role.

  10. Click Finish to save the role.

    Note: When assigning Users to this Role select "Propagate to children"

Make sure that the following permissions do not differ:

  • Vsphere Main Menu -> Administration -> Global Permissions -> select corresponding user and click edit
  • Vsphere Main Menu -> Inventory -> select corresponding VC(s) -> select the „permissions” tab in the right panel -> select corresponding user and click edit


Sometimes there are differences, the first one is the global permission and the second one is object (per-VC) permission that overrides the first one.
They should not differ, they should both be assigned the same user roles and "propagate" checkbox must be enabled.




NSX-V (NSX Data Center for vSphere)

NSX Administrator privileges are required for Log Assist.

Procedure

  1. Log in to the vSphere Client with a user account with account creation/modification privileges.

  2. Navigate to Networking & Security > System > Users and Domains

  3. Ensure that you are in the Users tab.

  4. Click the Add icon. The Assign Role window opens.

  5. Click Specify a vCenter user or Specify a vCenter group.

  6. Type the vCenter Server user details and group details.

  7. Click Next.

  8. Select the NSX Administrator role for the user, then click Next.

  9. Click Finish.

NSX-T (NSX-T Data Center)

NSX Enterprise Administrator privileges are required for Log Assist.

Procedure

  1. Log in to the NSX Manager with a user account with account creation/modification privileges.

  2. Navigate to System > Users

  3. Click Role Assignements

  4. Add a user, and assign the NSX Enterprise Administrator role.

  5. Click Save.

Horizon

The following privileges are required for support log bundle collection by Skyline Log Assist.

  • Administrator (read-only) role

  • Collect Operation Logs

We recommend creating a custom role for Skyline to allow the collection of both product usage data and support log bundles.

Procedure

  1. Open the Horizon 7 Administrator console.

  2. Navigate to View Configuration > Administrators.

  3. Click on the Roles tab.

  4. Click on Add Role.

  5. Enter a name and description for the custom role.

    NOTE: Skyline Collector version 2.3 requires the role name of "LogCollector". The Skyline Collector v2.3 explicitly looks for the role name "LogCollector" when a log transfer request is initiated from Skyline to a Horizon Connection Server. You can avoid this requirement by using Skyline Collector version 2.4.

  6. Select the Collect Operations Log from the privilege list.

  7. Save the role.

  8. Click on the Administrators and Groups tab, then click Add User or Group.

  9. For the new user, click on Add Permission. Select the Administrators (read-only).

  10. Click Save.



Additional Information

https://docs.vmware.com/en/VMware-Skyline-Collector/services/Planning-and-Deployment-Guide.pdf

Powered by Wolken Software