Minimum Privilege Scan User Configuration OLVM

Overview  

This document provides guidance for creating a dedicated scan user account in Oracle Linux Virtualization Manager (OLVM) with the minimum required privileges to execute REST API for successful compliance scanning.

Requirement for PA Compliance Scan

User should be able to login and successfully execute REST API calls.

Privilege Level Requirements

Minimum Required Privilege: Login (Read-Only Access)

Note: The REST API commands are executed in GET mode and hence are read-only commands that do NOT require Administrator privileges. 
For read-only scanning, only login privilege is required.

Create Scan User using CLI 

NOTE: To create a scan user account, you must have root user credentials

  1. Login to the OLVM Manager host as the root user.
  2. Add the user by running the following command (replace qualysscan with your desired name):
    #ovirt-aaa-jdbc-tool user add qualysscan --attribute=firstName=Qualys --attribute=lastName=Scan
  3. Set the password for the new user:
    #ovirt-aaa-jdbc-tool user password-reset qualysscan --password-valid-to="2026-12-31 23:59:59Z"

Add the User to the Administration Portal

  1. Open the OLVM Administration Portal in your browser.
  2. Navigate to Administration > Users > Select Add.
  3. In the Search field, enter the name of the user you just created and select Go.
  4. Select the user from the results and select Add.

Assign Roles and Permissions

  1. In the Administration Portal, go to Administration > Users.
  2. Select the above created username. Navigate to the Permissions tab, and select Add System Permission.
  3. Select ReadOnlyAdmin from Role to Assign.
  4. Select OK.

Verify User Privileges

To verify, login with the above created user and generate an authentication token. Run the following curl command:

curl -k -s https://<OLVM-FQDN>/ovirt-engine/sso/oauth/token -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" --data "grant_type=password&scope=ovirt-app-api&username=qualysscan%40internal&password=<plaintext_password>"

You should get an output similar to the following:

{"access_token":"Ee10ipofUkakdakqoqq5SdH038uE8j77CZxQR0sUmZq5EixHWu5aCMKKfrAEO3Xv9npKDziondej_D07BSkw","scope":"ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access","exp":"1774991481000","token_type":"bearer"}

The username for login: <username>@internal (for example: qualysscan@internal). For curl command the @ needs to be written as %40 as per the encoding format.

 

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026