The vCenter Adapter collects data from two distinct API endpoints:

• vSphere API (Inventory): Used for VMs, Hosts, Datastores, and Certificates (via VECS).
• VAMI / Appliance API (Management): Used specifically for File-Level Backup status and Service Health (Service Lifecycle Manager).

It is possible that the service account successfully authenticated to the vSphere API (hence Certificates are visible) but lacks authorization for the VAMI API.

Note: vSphere Roles (e.g., "Read-Only") propagate to inventory objects, they do not automatically grant rights to the Appliance Management interface. This access is controlled via SSO Group Membership.

1. For a vRealize Operations Manager collection user to collect all metrics and tags for an object, the below permissions are the minimum required for a collection user.
   1. Log in to the vSphere Web UI as an Administrator.
   2. Navigate to Administration > Access Control > Roles.
   3. Select the role given to the collection user specified in vRealize Operations Manager, or create a new role.
   4. Edit the role, and grant these permissions:
      • vCenter 6.0 and Earlier
        
        Global > Health
        Profile-Driven Storage > View
        Storage views > View
        vCenter Inventory Service
        
        
      • vCenter 6.5 and Later
        
        Datastore > Browse Datastore
        Extension > Register Extension
        Extension > Unregister Extension
        Extension > Update Extension
        Global > Global Tag
        Global > Health
        Global > Licenses
        Global > System Tag
        Global > Settings
        Performance > Modify Intervals
        Profile-Driven Storage > Profile-Driven Storage View
        Storage Views > View
        
        Note: To push Telegraf agents from vRealize Operations Manager, the collection user must also have the following permissions:
        Virtual Machine > Guest Operations > Guest Operation alias modification
        Virtual Machine > Guest Operations > Guest Operation alias query
        Virtual Machine > Guest Operations > Guest Operation modifications
        Virtual Machine > Guest Operations > Guest Operation program execution
        Virtual Machine > Guest Operations > Guest Operation queries
        
        Note: To Provide data to vSphere Predictive DRS, the collection user must also have the following permissions:
        External stats provider > Update
        External stats provider > Register
        External stats provider > Unregister
        
        
   5. Click OK to save the changes.
      
      This role should be granted to the collection user at the Global level, to gather all objects.
      
      Alternatively, the role can be granted to the collection user on a specific object/child basis while other objects are given the No Access role. Any objects with the No Access role defined for the collection user will not appear in vRealize Operations Manager as a collected object.
      
      Note: You can assign Global permissions by logging into the vSphere web client as [email protected].
             
2. Verify SSO Group Membership:
   1. Log in to the vSphere Client as [email protected].
   2. Navigate to Administration > Single Sign On > Users and Groups.
   3. Select the Groups tab and search for SystemConfiguration.Administrators.
   4. Edit the group and add the service account used by Aria Operations (e.g., [email protected] or DOMAIN\svc-vrops).
3. If the above fails, (Validate Service Lifecycle Manager):
   1. SSH into the vCenter Appliance.
   2. Run the command: service-control --status vmware-vmon
   3. Ensure the "VMware Service Lifecycle Manager" is Running.
4. Then restart the collection.