Objective 4.4 – Configure Access Control
Create/Modify user permissions in vCenter
Permissions within vCenter have three components; an Active Directory / local user or group, a vCenter role and a vCenter object.
The users and groups can be domain or local depending on the vCenter server domain membership, a role defines privileges that would be granted against an object to a specific user or group and the vCenter objects are:
- Virtual Machine
- Resource Pool
- Template Virtual Machine
- Standard and distributed vNetwork switches
To create a permission connect to vCenter using the vSphere client.
UI: Inventory > [Depends where you’re applying the permission e.g. Hosts and Clusters] > [Again depends on the object e.g. cluster object] > permissions tab > right click add permission… > add users or group to the left hand pane > assign their role from the right hand pane > choose whether to propagate > ok
Create/Modify user permissions in ESX Server
The permissions structure is the same as above but the users and groups are now local the ESX/ESXi host.
To create a permission connect to the ESX/ESXi host directly using the vSphere client; NOTE: If lockdown mode is enabled it will not be possible to connect directly to the ESXi host.
UI: Inventory > Object > Permissions tab > right click add permission… > add users or group to the left hand pane > assign their role from the right hand pane > choose whether to propagate > ok
Permissions assigned at a ESX/ESXi host apply that host only; if you apply a permission to a virtual machine on host one and it get placed on host two the permission will no longer apply.
Restrict access to vCenter inventory objects
When assigning permissions to objects in vCenter consider assigning the least privilege. Create roles which allow specific privileges, utilise the no access role to completely remove access to specific objects. Remember the lower down the hierarchy is the permission is assigned the higher precedence it will have when permissions are analysed. Also note explicitly defined permissions override inherited permissions.
Define vCenter predefined roles and their privileges
There are three builtin roles no access, read only and administrator; the no access role is pretty self explanatory; users assigned this role cannot view or change objects.
The read only role allows assigned users to view details and state of inventory objects; note: this role cannot view the console tab.
The administrator role allows assigned users all privileges over all objects.
These predefined roles cannot be modified or deleted.
Create/Clone Edit roles
Roles can be created from scratch or cloned from an existing role; you create additional roles to define custom privileges. Roles can only be created by a vCenter administrator; by default local and domain admins (if applicable) are members of this role.
UI: Administration > Roles > Right click Add… or highlight an existing role Right click clone
Assign roles to users and groups
Users or groups are assigned to roles using the create permission wizard as defined at point: Create / modify user permissions in vCenter.
Describe how privileges propagate
The Add permission wizard is configured to propagate to all child objects by default. So all objects will have permissions defined at the top level unless explicit permissions have been defined.
Understand permissions as applied to user and group combinations
If a user is a member of two or more groups and those groups have differing roles in vCenter and those roles have defined permissions on an object then that users effective permissions will be a combination of the two.
If an object has a user and group permission assigned and the user is a member of that group then the user permission takes precedence.
Explicit permissions always override inherited permissions.