One new configuration requirement that I have come across recently working with vRealize Automation is the increased integration and permissions between vRealize Business Standard, vCenter and vRealize Operations Manager.
For internal lab environments it may be common to use the ‘admin‘ or ‘root‘ user accounts when configuring credentials for various product integrations. However in the real world, where proper accounts of least required privilege should be used, this means that specific roles and permissions need to be created and used.
This particular issue raised it’s head when the Storage Profiles could not be determined from vCenter in the Business Management tab in vRA Business Management > Cloud Cost > Storage Cost > Edit as shown below:
Instead of displaying the various storage profiles for Storage Monthly Costs, all storage was collapsed as ‘uncategorized‘.
So what was wrong?
When we checked the status of the vCenter connection, in the vRA portal under Business Management > Cloud Cost > Status we observed the following error:
vRealize Business Standard has a requirement that the user/credentials used to manage the vCenter Server connection (Read Only) must have additional privileges in vR Ops Manager.
In addition to the vCenter Read Only role, the vRB role requires the following additional vR Ops permissions:
- Storage views.View
- Profile-driven storage.Profile-driven storage view
- Global.vRealize Operations Read Only Role
In our EHC v3.1 lab environment, we use application service accounts to identify which application is talking to which, in the form of app_<source>_<target>. So for vRB integrating with vCenter, and vR Ops Manager we use the following:
- vRB to vCenter: app_vRB_vCenter
- Read Only + vROps permission (as stated above)
- vRB to vR Ops: app_vRB_vROps
- Read Only
While configuring vRealize Business Standard, logged into vRA as the Tenant Admin, the vCenter and vRealize Operations Manager connections can be configured under Administration > Business Management, as shown below
- For the vCenter Server connection, the vCenter FQDN can and should be used
- For the vRealize Operations Server connection:
- Enter the vR Ops Server IP Address or FQDN
- The vR Ops Username should be specified as: user@domain@source
Note: This procedure and associated requirements have changed with vRB v7.1. More details here.
One other integration point to verify is correct, is the vCenter Adapter in vR Ops, configured in the vR Ops UI under Administration > Solutions > VMware vSphere > Configure where the vCenter Server address should be in the format of either IP Address or FQDN
Once these settings and user permissions have been set correctly, the Storage Profiles will be read correctly from vCenter and will be displayed accordingly in vRA Business Management, as shown below:
The vRA Business Management System Status also now displays all green ticks, as shown below:
… and they all lived happily ever after! #funfunfun
Update 21/12/2016 – This functionality is no longer available when using vSphere 6. More details available here
Software versions referenced in this post:
- vRealize Automation v6.2.1 b2553372
- vRealize Business Standard v6.1.0 b2548009
- vRealize Operations Manager v6.0.3 b3041065
- vCenter Server v5.5.0 b3142196 (5.5 Update3a)
- Federation Enterprise Hybrid Cloud v3.1
To correlate build numbers to VMware product versions, please ref here
Official VMware Doc References: