The Common Information Model (CIM) system provides an interface that enables hardware-level management from remote applications using a set of standard APIs. To ensure that the CIM interface is secure, provide only the minimum access necessary to these applications. If an application has been provisioned with a root or full administrator account and the application is compromised, the full virtual environment might be compromised.

CIM is an open standard that defines a framework for agent-less, standards-based monitoring of hardware resources for ESXi. This framework consists of a CIM object manager, often called a CIM broker, and a set of CIM providers.

CIM providers are used as the mechanism to provide management access to device drivers and underlying hardware. Hardware vendors, including server manufacturers and specific hardware device vendors, can write providers to provide monitoring and management of their particular devices. VMware also writes providers that implement monitoring of server hardware, ESXi storage infrastructure, and virtualization-specific resources. These providers run inside the ESXi system and therefore are designed to be extremely lightweight and focused on specific management tasks. The CIM broker takes information from all CIM providers, and presents it to the outside world via standard APIs, the most common one being WS-MAN.

Do not provide root credentials to remote applications to access the CIM interface. Instead, create a service account specific to these applications and grant read-only access to CIM information to any local account defined on the ESXi system, as well as any role defined in vCenter Server.

1

Create a service account specific to CIM applications.

2

Grant read-only access to CIM information to any local account defined on the ESXi system, as well as any role defined in vCenter Server.

3

(Optional) If the application requires write access to the CIM interface, create a role to apply to the service account with only two privileges:

Host.Config.SystemManagement

Host.CIM.CIMInteraction

This role can be local to the host or centrally defined on vCenter Server, depending on how the monitoring application works.

When a user logs into the host with the service account (for example, using the vSphere Client), the user has only the privileges SystemManagement and CIMInteraction, or read-only access.