vSphere Plugin: User Accounts and Privileges

User Guides for VMware Solutions

Audience
Public
Content Type
User Guides
Source Type
Documentation

In order to authenticate either Pure1 or FlashArray(s) to the vSphere Plugin, certain vCenter privileges are required for the access accounts.

Required vCenter Privileges

In order to add a FlashArray connection into the vSphere Plugin, the logged in user adding the connection must be assigned a role with the following privileges:

  • Global > 'Manage Custom Attributes'
  • Global > 'Set Custom Attribute'

Note:

Note this is just the privileges required for authenticating a FlashArray or Pure1 connection--this does not fulfill the requirements to use the plugin fully. Please refer to the individual feature documentation below for required vCenter permissions.

Required Pure1 Privileges

To configure Pure1 connectivity, follow this guide.There are currently no features in the vSphere Plugin that requires administrative access to the Pure1 REST API. This may change in the future as more active control is added into Pure1.

Required FlashArray Privileges (vSphere Plugin 5.5.0 and later)

Changes in the release of the 5.5.0 version of the vSphere plugin have added a new feature with how FlashArray registrations are mapped to vSphere users. In previous versions of the vSphere plugin, when a FlashArray was registered a user and password is used to generate an API Token for that user. The plugin then uses this API token to issue any requests to that are issued to that FlashArray with the plugin for any vSphere user logged into vCenter. Which can cause issues or raise concerns about access for vSphere Users to arrays.

With 5.5.0 a new feature is added that will store the initial user that registers the FlashArray or Fleet of arrays as the default user. This default user will then be shared with other vSphere users, but along with the concept of default users the plugin also added vSphere user to add their own FlashArray or Fleet credentials. These credentials are then mapped to this individual vSphere user and will not be shared with any other user.

With this feature addition Everpure has changed their recommendation on the initial user being used when registering a FlashArray. Rather than using the default pureuser account or using an user that is an array admin or storage admin, the recommended level for the default user will be a read only account. If there is a Fusion Fleet that will be getting added or will be created, then LDAP will be configured with the Array(s). The recommendation is to have a Read Only LDAP user in place when registering the array or the Fusion Fleet. In the event that Fusion is not being used or LDAP is not configured on the FlashArray, then the recommendation is to create a local read only account. Then when registering an Array for the first time with the plugin, then to use the read only account. After this point, then vSphere users will be able to add their own LDAP credentials to be paired to the vSphere User.

Here is an example of an Array with a default account (pure_ro) and with the Active Account shown that is paired to the vSphere User that is logged in. More information about this can be found in the authenticating a FlashArray connection section.

Required FlashArray Privileges (vSphere Plugin 5.4 and earlier)

In order to enable the use of FlashArray(s) in the VMware environment, vSphere administrators must authenticate the vSphere Plugin with the desired FlashArray(s). Users can choose to create local FlashArray users or use LDAP-connected users. It is recommended to provision a service account for plugin access to the FlashArray that doesn't necessarily reflect a specific person, but either a group or a use (username: vSpherePlugin for example).

For the process to create a new local account on the FlashArray, please refer the the FlashArray user guide for the pertinent version of Purity.

FlashArray Admin and CLI Reference Guides

The vSphere Plugin supports a few permission levels for the registered user:

  • Array Admin--this will provide the logged in users with access to all of the advertised features in the plugin. This is a supported level, but not recommended. This elevated permission set is not needed by the plugin
  • Storage Admin--this is the recommended level of permissions. Storage admin level of permissions provides users of the vSphere Plugin with all required permissions
  • Read Only--if the end-users only need to be able to view information about their storage environment (performance, data reduction, snapshots, capacity information, etc) provision a read only user account. This will block the ability to make any storage changes (change, add, remove, storage resources) with the plugin on the array(s) authenticated with this level of role

Audit Trail

Currently, all logged in users of the vSphere Client will share the same permissions of a given FlashArray or Pure1. Once a FlashArray is authenticated in the vSphere Plugin, all authenticated users in vSphere will share that same authentication. All operations executed in the plugin against a FlashArray will appear as the same authenticated user account in the FlashArray audit trail.

As an example, if a FlashArray is added with the username of "vsphereplugin" and creates a VMFS snapshot:

We see in the audit trail on the FlashArray:

The user is also vsphereplugin. Since all users share the same authentication, it is recommended to not authenticate with an account that is assigned to a specific individual, but instead a group or application account.

Video Demo