B3RG - Objective 4.4 – Configure Access Control

Recent Blog Postings

Yesterday VMware released an update to Fusion; version 3.1. This release is due to fix quite a number of performance problems and to take off some of the rough edges that where in Fusion since gods knows when.. Personally I welcome the update. I am a Fusion user since the first version and have .....

Add Banners

Objective 4.4 – Configure Access Control

Written by Matthijs van den Berg

Wednesday, 21 October 2009 00:32

Knowledge

Create/Modify user permissions in vCenter
VMware vCenter has quite a advanced Delegation of Control system. It allows for users to be created and a per user or per group delegation of access rights. When you manage a host using vCenter Server, only the privileges and roles assigned through the vCenter Server system are available. If you connect directly to the host using the vSphere Client, only the privileges and roles assigned directly on the host are available. Also you can use your active directory users in VC. To create / modify user permissions, called Roles in vCenter, you can:
- Open the vCenter client
- In the navigation bar choose “Administration”, and “Roles”
- Right Click in the left “Name” pane and select “Add” or “Edit” to add or edit user roles.
- You can edit the user permissions to your needs.
  Read more here on page 213.
Create/Modify user permissions in ESX Server
The privileges and roles assigned on an ESX/ESXi host are separate from the privileges and roles assigned on a vCenter Server system. When you manage a host using vCenter Server, only the privileges and roles assigned through the vCenter Server system are available. If you connect directly to the host using the vSphere Client, only the privileges and roles assigned directly on the host are available.
To edit local users and groups on a ESX host connect you vCenter client directly to the ESX host instead of connecting to the vCenter server (type the ESX hostname in the vCenter client connection box and use root or a later created user to log-in). Then:
- Select the ESX host
- Select the tab “Users and Groups”
- Right click to add or edit users
  Read more here on page 213.
Restrict access to vCenter inventory objects
The users, groups, roles and rights policy in vCenter is quite advanced. You can create a role that specifies what users / groups in that role are allowed to do, add a user group to this role and connect that user group to an inventory object in vCenter.
For example if you would like your R&D department to access only VMs in the Folder R&D you attach the R&D user group (that can be the same user group that you use in your active directory!) to that folder. By applying a Role for the users you can control what users are allow to do within that folder. This allows for a granular user and object access. To attach a
Define vCenter predefined roles and their privileges
vSphere comes standard with a number of preconfigured security roles. Users can be added to these standard roles to quickly give them predefined privileges. The standard roles within vCenter are:
- Select the object you would like to apply the user rights on
- Goto the tab Permissions
- Right click and select “Add”
- Select the role you would like to assign in the right pane
- Select the local or AD user / user group you would like to assign
- Optionally; deselect the “Propagate to Child Objects” check box if you need user rights only on the object and not on underlying objects.
Create/Clone Edit roles
The roles we have been talking about earlier can be modified and new roles can be added. To do so:
- Use the navigation bar to go to “Administration”, “Roles”
- Right click a role to edit or add
Assign roles to users and groups
To assign users to a role an object where the users and roles are assigned to is needed. If you would like to add users with certain permission to the whole infrastructure select the highest level in the vCenter hierarchy. To add users and roles:
- Select the tab “Permission”
- Right click and select “Add Permission…”
- Add a user of group and select the appropriate Role.
Describe how privileges propagate
When a Role and user are assigned to an object these Users and Roles propagate to underlying objects. Example; you have a resource pool. Within this resource pool multiple VMs and other resource pools are present. When you create a privilege all those VMs and resource pools inherit the same policy. This is default behavior. To disable this propagation disable the check box “Propagate to Child Objects” in the assign permissions screen.
Understand permissions as applied to user and group combinations
You can assign the same permissions to groups and individual users. Those users and groups can have different roles on different objects within you vSphere environment. So one user can sometimes be part of a group and sometimes have permission assigned to the individual user. This can make the permissions part VERY COMPLEX! So be conservative with user rights. Personally I never assign individual users rights, but always use groups, preferably groups that also exist in the Active Directory (if one is present).

Tools

vSphere Basic System Administration Guide
Product Documentation
vSphere Client

< Prev

VCP 4 Cloud

Recent Blog Postings

Add Banners

Knowledge

Tools

VCP4 Studie Guide - Fast Find