As a VMware administrator, I want to know the minimal privilege set required to migrate a virtual machine from VMware vCenter to OpenShift Virtualization, in order to create a role and limit security exposure.

According to Ming Xie, virt-v2v and ManageIQ documentations, and personal tests, the minimum set of privileges for vSphere 6 and 7 is:

• Datastore
  • Browse datastore
  • Low level file operations
• Host
  • Configuration
    • Connection
• Resource
  • Migrate powered off virtual machine
• Sessions
  • Validate session
• Virtual machine
  • Interaction
    • Guest operating system management by VIX API
    • Power on
    • Power off
  • Provisioning
    • Allow disk access
    • Allow read-only disk access
  • Snapshot management
    • Create snapshot
    • Remove snapshot

How to test

1. In vCenter, go to Administration > Access Control > Roles and clone the "Read Only" role into a new role named "Migration Toolkit for Virtualization" and set the listed permissions.
2. In vCenter, go to Administration > Single Sign On > Users and Groups and add a user named "mtv" in the "vsphere.local" domain.
3. In vCenter, go to Administration > Access Control > Global Permissions and add the "Migration Toolkit for Virtualization" role to the "VSPHERE.LOCAL\mtv" user. You need to check the "Propagate to children" box.
4. In MTV, create a VMware provider with the user account created at step 2.
5. Run the usual regression test suite.