As private cloud environments grow, manual administration becomes a significant reliability risk and a barrier to scaling. Adopting an API-driven model for VCF Fleet Management is essential for achieving operational excellence; it enables standardized operations, automated lifecycle management, and centralized governance across all VCF instances. By utilizing APIs or workflow automation through VCF Operations, organizations can significantly reduce human error and eliminate the operational dependency on individual operator accounts.
When adopting operational automation, it is critical to enforce the Principle of Least Privilege. Whether you are structuring access for an API Client (system-to-system) or an SSO User (manual API triggers), permissions must be scoped intentionally to align with specific job functions and support boundaries. By defining minimum access levels, platform engineers ensure that every API call—regardless of who or what initiates it—is appropriately constrained, auditable, and aligned with enterprise security standards.
[!TIP]
Key Reminder: API token permissions are inherited exclusively from the access levels assigned at the VCF fleet level.
Permissions for Fleet Management
The following JSON payload represents the required permissions structure for performing Fleet Management tasks via the VCF 9.1 APIs.
This example includes privileges for all core fleet management functions: Identity and Access Management (IAM), Certificate Management, Account and Password Management, Configuration Management, Fleet Settings and vSphere Tag Management. Additionally, it includes relevant permissions required to build end-to-end automation, such as tracking task status.
{
"userRoles": [
{
"privilegeKeys": [
"vcf_certificates.view",
"vcf_certificates.manage",
"administration.fleetSettings.view",
"administration.fleetSettings.manage",
"vcf_password.view",
"vcf_password.manage",
"identity.management.view",
"identity.management.manage",
"configuration_drifts.view",
"configuration_drifts.manage",
"administration.api.read_access",
"ops.administration.management_tasks.view",
"ops.administration.management_tasks.manage",
"tag_management.assignments",
"tag_management.view",
"tag_management.manage"
],
"name": "fleetmgmt-admin",
"description": ""
}
]
}While the list above is comprehensive, the Principle of Least Privilege dictates that you select only the privileges specific to your target function.
Identity Management:
identity.management.manage
identity. management.view
Certificate Management:
vcf_certificates.manage
vcf_certificates.view
Password Management:
vcf_password.manage
vcf_password.view
Fleet Settings (Password Policy, NTP and DNS included):
administration.fleetSettings.manage
administration.fleetSettings.view
If you need to enforce more granular access control, you can assign access at the sub-level instead:
administration.fleetSettings.password.manageadministration.fleetSettings.password.viewadministration.fleetSettings.ntp.manageadministration.fleetSettings.ntp.viewadministration.fleetSettings.dns.manageadministration.fleetSettings.dns.view
Config Management:
configuration_drifts.manage
configuration_drifts.view
Tag Management:
tag_management.assignments
tag_management.manage
tag_management.view
Task Tracking (Always required)
ops.administration.management_tasks.manage
ops.administration.management_tasks.view
administration.api.read_access
Restricting API access using custom, narrowly scoped roles is the cornerstone of securing modern private cloud automation. By utilizing these granular permissions, security and operations teams can empower developers with automated workflows without compromising the safety and compliance of the core infrastructure.
davidwzhang.com 