For Diagnostics Log Assist, additional privileges are required to allow for remote support bundle collection. This article will detail the additional privileges required, and the steps to take to grant the additional privileges within each product. 

Validation of the required rights is performed during the mapping of inventory for log assist and when you trigger log assist. 

vCenter

• Global.Diagnostics

If you have ESX Host Encryption or vSAN Encryption:

• Cryptographic operations > Direct Access

If you have enabled ESX Host Encryption, or vSAN Encryption, the Cryptographic operations > Direct Access permission is required to allow the successful decryption of the log bundle and transfer to the Support Portal. This permission is only required for this reason and is not needed unless you have enabled ESX Host Encryption, or vSAN Encryption. This permission does not apply to Virtual Machine Encryption.

NSX

• NSX Auditor + Support Bundle Collector BUT ONLY with NSX version 3.2, and above 

VCF Operations Manager

• VCF Operations Viewer (Read-Only) Role

VMware Cloud Foundation

• SDDC Manager Admin or SDDC Manager Operator Role

NOTE: The SDDC Manager Viewer Role is insufficient for Log Assist.
 

VCF Fleet Manager Permissions

• There are no specific permissions required to add VCF Fleet Manager

VCF Automation Permissions

• VCF Automation Viewer (Read-Only) Role

VCF Operations for Logs Permissions

• VCF Operations for Logs View Only Admin Role

Operations for VMware Cloud Foundation 9.0

vCenter

Additional privileges beyond are the minimum needed for both the collection of product usage data, and the ability to transfer a support log bundle with VCF Diagnostics Log Assist.

• vCenter Server Read-only role
• Global.Diagnostics

We recommend creating a custom role for Diagnostics to allow the collection of both product usage data and support log bundles.

Procedure

Follow these steps to create a custom vCenter Server role for Diagnostics .

1. Log in to the vSphere Client with a user account with account creation/modification privileges.
2. From Home page, click Administration.
3. Under Access Control, click Roles.
4. Click on the Read-only role within the list of built-in roles, then click the Clone role action button.
5. Name the role, and provide a description of the role.
6. Click on the new role you just created, then click the Edit role action button.
7. Within the Edit Role window, click Global on the left-hand side.
8. Select Global privileges: Diagnostics
9. Click Next. If you choose, you can update the name, or description, of the role.
10. Click Finish to save the role.
    
    Note: When assigning Users to this Role select "Propagate to children"

Make sure that the following permissions do not differ:

• vCenter Main Menu -> Administration -> Global Permissions -> select corresponding user and click edit
• vCenter Main Menu -> Inventory -> select corresponding VC(s) -> select the „permissions” tab in the right panel -> select corresponding user and click edit

Sometimes there are differences, the first one is the global permission and the second one is object (per-VC) permission that overrides the first one.
They should not differ, they should both be assigned the same user roles and "propagate" checkbox must be enabled.

NSX

NSX Auditor + Support Bundle Collector privileges are required for Log Assist.

Procedure

1. Log in to the NSX Manager with a user account with account creation/modification privileges.
2. Navigate to System > Users
3. Click Role Assignments
4. Add a user, and assign the NSX Auditor + Support Bundle Collector role.
5. Click Save.