faherne
commented
2 years ago To point you in the right direction for your issue - You can try adding the AD user to an SSO (vsphere.local) group. As far as I know, there is no SSO Read-Only group, but you could try the vsphere.local\AutoUpdate SSO group as a non-admin privileged group.
I am attempting to setup some reporting using the 'GET' commands in this module. When the commands required (Get-SsoGroup / Get-SsoPersonUser) are run with a 'read-only' level account, I get nothing back. There is no error generated, just a blank return. Administrator level account works fine, of course.
Administrator level account seems to be overkill for this use case. Equivalent commands against vCenter only require read-only for a similar pupose (eg: get-vipermission).
Does anyone know what the minimum permissions required for these commands would be? Or is there a tool that would assist to find out what permissions would be required?