Least privilege access for Turbonomic to target VMware Horizon

Document created by vivek.nandavanam Expert on Sep 26, 2019Last modified by vivek.nandavanam Expert on Dec 2, 2019
Version 3Show Document
  • View in full screen mode

There are 2 types of Horizon user roles that can be assigned to a service account that is used to add the Horizon target in Turbonomic.

Discovery only mode

For this the least privilege access that is required to discovery and monitor the Horizon target is an Administrator (Read only) role that is available as a default role in the Administrator view.

Executing actions on the Horizon target

To move a user from one DesktopPool to another, Turbonomic removes the user entitlement from the source pool and adds the entitlement of the user to the destination pool. To do this, the login requires a role that includes the privilege, 'Entitle Desktop and Application pools'. To perform actions in Horizon, the user account for the Turbonomic target must have a role with this privilege, as well as the Administrator (Read only) role.


Here are some screenshots for creating a role with the 'Entitle Desktop and Application pools' privilege:

Creating new role with the privilege

Create new role with the privilege to 'Entitle Desktop and Application pools'


New role created

New role created


Adding permission to add the new role to the desired user

Add the permission for the new role that was created


Providing permission to the desired access group - Typically 'Root'

Select the access group - Typically 'Root'


New user created with the 2 roles

User with both roles

1 person found this helpful