From VMware vSphere vCenter Server Version 6 Security Technical Implementation Guide
Part of SRG-APP-000516
Associated with: CCI-000366
Least-privileges mitigate attacks if the Update Manager database account is compromised. The VMware Update Manager requires certain privileges for the database user in order to install, and the installer will automatically check for these. The privileges on the VUM database user must be reduced for normal operation.
Verify only the following permissions are allowed to the VUM database user. For Oracle DB normal operation, only the following permissions are required. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. If the above vendor database-dependent permissions are not strictly adhered to, this is a finding.
For Oracle DB normal runtime operation, set the following permissions. grant connect to vumAdmin grant resource to vumAdmin grant create any job to vumAdmin grant create view to vumAdmin grant create any sequence to vumAdmin grant create any table to vumAdmin grant lock any table to vumAdmin grant create procedure to vumAdmin grant create type to vumAdmin grant execute on dbms_lock to vumAdmin grant unlimited tablespace to vumAdmin # To ensure space limitation is not an issue For SQL DB normal operation, make sure that the database user has either a sysadmin server role or the db_owner fixed database role on the Update Manager database and the MSDB database. The db_owner role on the MSDB database is required for installation and upgrade only. Note: While current, it is always best to check both the latest VMware Update Manager Administration Guide and the vendor database documentation for any updates to these configurations.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer