Minimum XenDesktop / PVS account access into vSphere needed.

Screenshot_013013_025200_PMIf you are looking to lock down the your XenDesktop/PVS service account’s access into the vSphere environment, you need to read Jarian Gibson’s post:

He details all the rights necessary along with discrepancies between vSphere and Citrix’s eDoc terminology.  Really useful stuff and invaluable for getting things working correctly in a locked down environment.  After reading through his post though, if you just need to Cut and Paste a list of rights for your vSphere team to implement, here you go.

Custom vSphere Role for XenDesktop/PVS & XenDesktop Setup Wizards
Create a role in vCenter with the following permissions:

  • Datastore Permissions
    • Allocate space
    • Browse datastore
    • Low level file operations
  • Network Permissions
    • Assign network
  • Resource Permissions
    • Assign virtual machine to resource pool
  • System Permissions –
    These permissions are automatically added when you create a role in vCenter.
    • Anonymous
    • Read
    • View
  • Task Permissions
    • Create Task
  • Virtual Machine/Configuration Permissions
    • Add existing disk
    • Add new disk
    • Change CPU count
    • Change resource
    • Memory
    • Remove disk
  • Virtual Machine/Interaction
    • Power Off
    • Power On
    • Reset
    • Suspend
  • Virtual Machine/Inventory
    • Create New
    • Create from existing
    • Remove
    • Register
  • Virtual Machine/Provisioning
    • Clone virtual machine
    • Allow disk access
    • Allow virtual machine download
    • Allow virtual machine files upload
  • Virtual Machine/State
    • Create snapshot
    • Revert to snapshot
  • Global
    • Manager custom attributes
    • Set custom attribute
  • Virtual Machine/Provisioning
    • Clone Template
    • Deploy Template

These rights have been vetted with Citrix XenDesktop 5.6, Citrix Provisioning Server 6.1 and vSphere 4.1 & 5.