Feature request: VMware vCenter role audit tool

A short blog about a missing feature in VMware vCenter and the vSphere client. 
Implementing products and creating designs makes me read product documentation to seek for requirements. Some vendors have extensive requirement documents where everything you need to set is written down exactly. They make our life easy.
Other vendors lack that documentation skill and just say “role with administrative privileges”. Not sure what they think I do with that? I can’t ask the customer to give my all privileges on their VMware environment.
So again today I was creating a design document and reading through documents noticing the same again, no real info on what to configure in concern to the roles in vCenter.
Security guys at the customer were freaking out (can’t blame them) for no one get full access. 

What am I missing?

I want to know what the service account, I add to the VMware vCenter role, is doing so that I can tune the role for the purpose of the product. I can’t seem to find a way to do that in the product right now.
Of course you can see what is happening in the task view and recent task view in the vSphere client but that list will be emptied and I don’t want to look through that to see what the account has been doing.

Feature request

What I’m looking for is a way to do some sort of an audit and hook that to a service account / role to see what tasks it’s executing. Doing that I can tune the environment so that no product or service account has to much privileges.
I see it as a new tab in the client where you connect to a service account (hook it, like spy studio is doing) and log all the tasks it executes. After a while, let’s say a few days, you look in a created log and you see the tasks nicely ordered. 
perhaps a report to run on certain times would be an option… 
I hear you think, you could miss some tasks which are rarely executed? 
Yes you could miss some but if you let it run for days the chances that you miss some are reduced I think.. time would tell of course.


I think this would be a great new feature which would benefit for vendors providing poor documentation but also to make sure your datacenter in secure. Auditing of privileges should be a built-in feature, it super important to know who is doing what, service accounts are created for every product, at a certain point who has the overview?
VMware surprise us with this feature if you can, I bring the cake to celebrate 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.