Minimum XenDesktop / PVS account access into vSphere needed.
If you are looking to lock down the your XenDesktop/PVS service account’s access into the vSphere environment, you need to read Jarian Gibson’s post: https://jariangibson.com/2010/12/21/using-xendesktop-5-with-vmware/
He details all the rights necessary along with discrepancies between vSphere and Citrix’s eDoc terminology. Really useful stuff and invaluable for getting things working correctly in a locked down environment. After reading through his post though, if you just need to Cut and Paste a list of rights for your vSphere team to implement, here you go.
Custom vSphere Role for XenDesktop/PVS & XenDesktop Setup Wizards
Create a role in vCenter with the following permissions:
- Datastore Permissions
- Allocate space
- Browse datastore
- Low level file operations
- Network Permissions
- Assign network
- Resource Permissions
- Assign virtual machine to resource pool
- System Permissions –
These permissions are automatically added when you create a role in vCenter. - Anonymous
- Read
- View
- Task Permissions
- Create Task
- Virtual Machine/Configuration Permissions
- Add existing disk
- Add new disk
- Change CPU count
- Change resource
- Memory
- Remove disk
- Virtual Machine/Interaction
- Power Off
- Power On
- Reset
- Suspend
- Virtual Machine/Inventory
- Create New
- Create from existing
- Remove
- Register
- Virtual Machine/Provisioning
- Clone virtual machine
- Allow disk access
- Allow virtual machine download
- Allow virtual machine files upload
- Virtual Machine/State
- Create snapshot
- Revert to snapshot
- Global
- Manager custom attributes
- Set custom attribute
- Virtual Machine/Provisioning
- Clone Template
- Deploy Template
These rights have been vetted with Citrix XenDesktop 5.6, Citrix Provisioning Server 6.1 and vSphere 4.1 & 5.