Overview
This document provides step-by-step diagnostic and validation procedures to confirm that a newly created Read-Only vCenter service account possesses the required privileges to collect infrastructure inventory and performance metrics.
When deploying the Cloudamize inventory and data collection proxy, a dedicated service account with a Read-only role must be established within VMware vCenter. If the account is incorrectly configured or if explicit settings fail to cascade, Cloudamize will experience inventory collection errors, missing performance graphs, or authentication failures.
Follow the diagnostics below sequentially to establish complete functionality and isolate permission constraints from network-level communication blocks.
Prerequisite Check: Before beginning, ensure you have completed the basic user creation, role mapping, and root-level assignments documented in the primary Cloudamize vCenter Installation Guide.
Step 1: Direct Inventory Visibility & Login Validation
The primary baseline test checks if the account can properly log in and view the organizational hierarchy inside the vSphere infrastructure.
-
Open a clean browser session (or Incognito window) and navigate to your vSphere Client / vCenter Login UI.
-
Log in using the newly created read-only service account credentials.
-
Note: If the account was provisioned locally within the internal vCenter directory, ensure you append the correct domain suffix (e.g.,
username@vsphere.local).
-
-
Once authenticated, navigate through the main inventory tree on the left panel.
-
Verify that you can expand and see the top-level vCenter Server, Datacenters, Clusters, ESXi Hosts, and individual Virtual Machines (VMs).
Failure Indicators for Step 1: If the login fails, re-verify the password or Active Directory/LDAP domain integrations. If the login succeeds but the entire inventory tree appears blank or invisible, proceed directly to Step 2 to resolve propagation settings.
Step 2: Verification of Privilege Propagation Settings
A common error occurs when the Read-only role is correctly assigned at the root vCenter object, but is constrained from cascading down to child infrastructures.
-
Log back into the vSphere Client using an administrative account (e.g.,
administrator@vsphere.local). -
Select the top-level vCenter Server object from the left-hand navigation infrastructure tree.
-
Navigate to the main work panel and select the Permissions tab.
-
Locate the newly created Cloudamize read-only user within the identity grid.
-
Inspect and confirm the following parameters:
-
Role: Must read explicitly as
Read-only. -
Propagate: Must display as True (or contain an active checkmark depending on your vSphere software version).
-
If Propagate is currently set to False or disabled, the account will be rejected when trying to read performance metrics from the actual nested hosts and virtual machines.
Step 3: Advanced Performance Manager Metric Validation
Cloudamize depends on constant interrogation of the vCenter Performance Manager. Merely reading structural metadata is insufficient; historical and live performance charts must be readable.
-
Ensure you are viewing the vSphere Client while logged in as the Read-only user.
-
Select an arbitrary, active ESXi host or Virtual Machine from the inventory tree.
-
Select the Monitor tab on the tabbed navigation panel.
-
Click into Performance and choose the Advanced view.
-
Observe the rendering behavior. If historical and real-time graphs (including CPU utilization, Memory usage, Disk IOPS, and Network throughput) populate cleanly, the permission layer is functional.
Note: If you encounter error alerts indicating "You do not have permissions to view this object" or if charts remain continuously broken while other system administrators can see them, the security profile has a custom constraint overriding the default Read-Only permission scope.
If you still face any issues, please reach out to our Helpdesk team for further assistance at helpdesk@cloudamize.com