vSphere Health Check Report with ESXi 5.x (Minimum Permissions)

If you are using VMware vSphere Health Check Report v5.0.2 by William Lam in your environment you might get incomplete reports after upgrading to vSphere 5.x. This applies only when you use the script with minimal privileges set. The report is broken (missing VM and Host information) and running the script with --debug 1 throws an error message.

vi-admin@vma:/# ./vmwarevSphereHealthCheck/vmwarevSphereHealthCheck.pl --server vc.lab.virten.net --username healthcheck --password ****** --type vcenter --debug 1
Generating VMware vSphere Health Report v5.0.2 "vmware_health_report.html" ...

This can take a few minutes depending on the size of your environment. 
Get a cup of coffee/tea/beer and check out http://www.virtuallyghetto.com

---DEBUG managementServerIp: 10.0.0.2 ---
---DEBUG dnsname: vc.lab.virten.net ---
Can't call method "agentVmDatastore" on an undefined value at ./vmwarevSphereHealthCheck/vmwarevSphereHealthCheck.pl line 2655.

or (5.0 only):

vi-admin@vma:/# ./vmwarevSphereHealthCheck/vmwarevSphereHealthCheck.pl --server vc.lab.virten.net --username healthcheck --password ****** --type vcenter --debug 1
Generating VMware vSphere Health Report v5.0.2 "vmware_health_report.html" ... 
This can take a few minutes depending on the size of your environment. 
Get a cup of coffee/tea/beer and check out http://www.virtuallyghetto.com

SOAP Fault:
-----------
Fault string: Permission to perform this operation was denied.
Fault detail: NoPermissionFault

This has to be a permission problem because running the script as Administrator works. According to the documentation you need the following permissions:

  • Datastore.Browse
  • Global.Diagnostics
  • Global.Licenses
  • Sessions.TerminateSession
  • Sessions.ValidateSession
  • System.Anonymous
  • System.Read
  • System.View

After trying to debug the issue i encountered some strange contradictions with the Host Agent. The solution is to add the following permission:

  • Host.Configuration.Change (Required in 5.0 and 5.1)
  • Host.Configuration.Strorage (Required in 5.0 only)

With the GUI:

  • Host > Configuration > Change settings (Required in 5.0 and 5.1)
  • Host > Configuration > Change partition configuration (Required in 5.0 only)

This is really weird because the config.change permission allows setting of lockdown mode on ESXi hosts only. But it solves the problem (Tested a couple of times because i couldn't believe).

[Update 2012-09-28: Different error in 5.0 ad 5.1 added]

  1. Thanks for sharing the tip, I'll need to update my documentation once I get a chance. I suspect that particular permission might include some "read" operation that might not be allowed if the account does not have. Curious if you have tested with this vSphere 5.1? or was this only 5.0?

    --William

    • This applies to both, 5.0 and 5.1 (vCenter version). Verified it again and figured out that with 5.0 there is another permisson required (change.configuration.storage).

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>