Views:

These permissions must be applied at the data center level in the Hosts and Clusters view of the vCenter. Because the ability to fetch parent IDs of various entities is required, applying the permissions in the cluster level will cause errors.

Preparing the ESX host

This is the first step in deploying the DSVA. In this phase, a kernel driver is loaded onto the ESX host, and a separate vSwitch is configured to facilitate internal connectivity for the DSVA.

Configuration LocationRequired Permissions
Host > Configuration > Change SettingsPermissions Required to Query Modules on ESX
Host > Configuration > MaintenancePermissions Required to Enter and Exit Maintenance Mode
Host > Configuration > Network ConfigurationPermissions required to add new virtual switch, port group, virtual NIC etc.
Host > Configuration > Advanced SettingsPermissions required to setup networking for dvfilter communication on ESX
Host > Configuration > Query PatchPermissions required to install Filter Driver
Host > Configuration > ConnectionPermissions to disconnect/reconnect a host
Host > Configuration > Security profile and firewallPermissions to reconfigure outgoing FW connections to allow retrieval of Filter Driver package from DSM
Global > Cancel TaskPermissions required to cancel a task if required
Host > Configuration > System ManagementPermissions to prepare ESXi
Host > Configuration > Image ConfigurationPermissions to configure DSVA image
Host > Configuration > Memory ConfigurationPermissions to configure DSVA memory

Deploying the Virtual Appliance

This is the second step in DSVA deployment, during which the virtual appliance itself is deployed from an OVF file.

Configuration LocationRequired Permissions
vApp > vApp application configurationPermissions to set Product Version for DSVA
vApp > ImportPermissions to deploy DSVA from OVF file
Datastore > Allocate SpacePermissions required to allocate space for DSVA on datastore.
Host > Configuration > Virtual machine autostart configurationPermissions to set DSVA to autostart on ESX
Network > Assign NetworkPermissions to assign DSVA to networks
Virtual Machine > Configuration > Add new diskPermissions to add disks to DSVA
Virtual Machine > Interaction > Power OnPermissions to power on DSVA
Virtual Machine > Interaction > Power OffPermissions to power off DSVA
Host > Inventory > Modify ClusterPermissions to deploy DSVA
Virtual Machine > Change Configuration > Set annotationPermission to deploy DSVA

Activating the Virtual Machine

In this third step, the appliance is activated into the Deep Security Manager (DSM) system.

Configuration LocationRequired Permissions
Virtual Machine > Configuration > AdvancedPermissions to reconfigure virtual machine for dvfilter

Regular Operations

For ongoing operations, less permissions are needed.

Configuration LocationRequired Permissions
Host > Configuration > Change SettingsPermissions required to query modules on ESX
Virtual Machine > Configuration > AdvancedPermissions to reconfigure virtual machine for dvfilter

Deep Security Virtual Appliance Seamless Upgrade

For more information about DSVA seamless upgrade, see option 1 of the  "Upgrade the appliance" section.

Configuration LocationRequired Permissions
ESX Agent Manager > ModifyRequired for seamless upgrade
Virtual Machine > Edit Inventory > RemoveRequired for seamless upgrade

NSX Environment

For NSX environment, both deployment and operation require the NSX built-in administrator account or a vCenter user account with assigned Enterprise Administrator role. To assign a role to vCenter user, follow the procedure in this VMware article: Assign a Role to a vCenter User.

Keywords: needed privileges,required user role,necessary rights,configure permission,assign permission,permissions requirement to deploy or activate dsva, dv filter