VMware HCX

Least-Privilege Role for Bulk Migrations Only

My goal is to create a custom role that:

• Only allows HCX bulk migration operations

• Prevents the user from performing any other actions in the vCenter (no VM editing, no inventory changes, no host management, etc.)

• The permission scope should ideally be:

  • Limited to the necessary objects (folders, datastores, networks, clusters) needed for migration

  • Does not allow anything beyond HCX operations

I am not asking if this is possible in theory - I need:

• A sample custom role definition

• Or a reference to a documented set of privileges that are required for this exact use case

• Best practices on how to scope this safely

The HCX user guide covers what permissions are required.

https://techdocs.broadcom.com/us/en/vmware-cis/hcx/vmware-hcx/4-11/vmware-hcx-user-guide-4-11/preparing-for-hcx-installations/user-account-and-role-requirements.html