Operational Defect Database
BugZero updated this defect 55 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 59661
VMware Skyline Log Assist Rights
Last update date:
3/25/2024
Affected products:
Skyline Collector Appliance
Affected releases:
2.x
Fixed releases:
No fixed releases provided.
Description:
Symptoms
For Skyline Log Assist, additional privileges are required to allow for remote support bundle collection. This article will detail the additional privileges required, and the steps to take to grant the additional privileges within each product. VMware vSphere vCenter Server Read-OnlyRoleGlobal.DiagnosticsGlobal.HealthGlobal.LicensesGlobal.SettingsHost profile.ViewStorage views.View If you have ESXi Host Encryption or vSAN Encryption: Cryptographic operations > Direct Access If you have enabled ESXi Host Encryption, or vSAN Encryption, the Cryptographic operations > Direct Access permission is required to allow the successful transfer of encrypted support bundles. This permission is only required for this reason and is not needed unless you have enabled ESXi Host Encryption, or vSAN Encryption. This permission does not apply to Virtual Machine Encryption.Also, when Host Profiles are configured in the environment, the Host profile > Edit is required. Skyline will not attempt to make any changes upon the Profiles, but with the current API, Host profile > View only allows to list the Host profile and to review the configuration, Host profiles > Edit is required.You must assign the required privileges to a user account. Assigning the required privileges to a group and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor. NSX-V (NSX Data Center for vSphere) NSX Administrator Role NSX-T (NSX-T Data Center) NSX Enterprise Administrator RoleNSX Auditor + Support Bundle Collector BUT ONLY with NSX-T version 3.2, and above (available only for collectors with version 3.2.0.0 and above) You must assign the required privileges to a user account. Assigning the required privileges to a group and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor. Horizon Administrator(read-only) RoleCollect Operations Log Role NOTE: Horizon 7 version 7.10, or above, is required to enable Skyline Log Assist to transfer support bundles for Horizon Connection Servers. If you are using a version of Horizon 7 previous to 7.10, Log Assist will not be available to you for Horizon Connection Servers within Skyline Advisor.You must assign the required privileges to a user account. Assigning the required privileges to a group, and using an account within the group to add vCenter Server to the Skyline Collector will fail the privileges check within Skyline Advisor. vRealize Operations Manager Log Assist is currently unavailable for vRealize Operations Manager. VMware Cloud Foundation SDDC Manager Admin or SDDC Manager Operator Role NOTE: The SDDC Manager Viewer Role is insufficient for Log Assist. VRealize Suite Lifecycle Manager Permissions There are no specific permissions required to add vRealize Suite Lifecycle Manager vRealize Automation Permissions vRealize Automation Viewer (Read-Only) Role vRealize Log Insight Permissions vRealize Log Insight View Only Admin Role
Resolution
VMware vSphere Additional privileges beyond are the minimum needed for both the collection of product usage data, and the ability to transfer a support log bundle with Skyline Log Assist. vCenter Server Read-only role Global.Diagnostics Global.Health Global.Licenses Global.Settings Host profile.View Storage views.View We recommend creating a custom role for Skyline to allow the collection of both product usage data and support log bundles. Procedure Follow these steps to create a custom vCenter Server role for Skyline. Log in to the vSphere Client with a user account with account creation/modification privileges. From Home page, click Administration. Under Access Control, click Roles. Click on the Read-only role within the list of built-in roles, then click the Clone role action button. Name the role, and provide a description of the role. Click on the new role you just created, then click the Edit role action button. Within the Edit Role window, click Global on the left-hand side. Select the following Global privileges: Diagnostics, Health, Licenses and Settings and Host profile.View Click Next. If you choose, you can update the name, or description, of the role. Click Finish to save the role. Note: When assigning Users to this Role select "Propagate to children" Make sure that the following permissions do not differ: Vsphere Main Menu -> Administration -> Global Permissions -> select corresponding user and click editVsphere Main Menu -> Inventory -> select corresponding VC(s) -> select the „permissions” tab in the right panel -> select corresponding user and click edit Sometimes there are differences, the first one is the global permission and the second one is object (per-VC) permission that overrides the first one.They should not differ, they should both be assigned the same user roles and "propagate" checkbox must be enabled. NSX-V (NSX Data Center for vSphere) NSX Administrator privileges are required for Log Assist. Procedure Log in to the vSphere Client with a user account with account creation/modification privileges. Navigate to Networking & Security > System > Users and Domains Ensure that you are in the Users tab. Click the Add icon. The Assign Role window opens. Click Specify a vCenter user or Specify a vCenter group. Type the vCenter Server user details and group details. Click Next. Select the NSX Administrator role for the user, then click Next. Click Finish. NSX-T (NSX-T Data Center) NSX Enterprise Administrator privileges are required for Log Assist. Procedure Log in to the NSX Manager with a user account with account creation/modification privileges. Navigate to System > Users Click Role Assignements Add a user, and assign the NSX Enterprise Administrator role. Click Save. Horizon The following privileges are required for support log bundle collection by Skyline Log Assist. Administrator (read-only) role Collect Operation Logs We recommend creating a custom role for Skyline to allow the collection of both product usage data and support log bundles. Procedure Open the Horizon 7 Administrator console. Navigate to View Configuration > Administrators. Click on the Roles tab. Click on Add Role. Enter a name and description for the custom role. NOTE: Skyline Collector version 2.3 requires the role name of "LogCollector". The Skyline Collector v2.3 explicitly looks for the role name "LogCollector" when a log transfer request is initiated from Skyline to a Horizon Connection Server. You can avoid this requirement by using Skyline Collector version 2.4. Select the Collect Operations Log from the privilege list. Save the role. Click on the Administrators and Groups tab, then click Add User or Group. For the new user, click on Add Permission. Select the Administrators (read-only). Click Save.
Related Information
https://docs.vmware.com/en/VMware-Skyline-Collector/services/Planning-and-Deployment-Guide.pdf
