Objective 1.1: Configure and Administer Role-based Access Control

Identify common vCenter Server privileges and roles

Roles are a set of privileges (actions) that can be performed on objects.  There are three types of roles; system roles, sample roles and custom-built roles.

System Roles 

Administrator

Read-only

No access

Sample Roles

The sample roles are loaded by default and the roles end with (sample).  These include:

Resource pool administrator (sample)

Virtual machine user (sample)

Content library administrator (sample)

VMware Consolidated Backup user (sample)

Datastore consumer (sample)

Network administrator (sample)

Virtual machine power user (sample)

Custom Role

These roles are created by the administrator.

Describe how permissions are applied and inherited in vCenter Server

Objects are entities on which actions are performed.  Objects include datacenter, folders, clusters, hosts, vms, switches, detesters, etc. Permissions are assigned to objects on each objects permission tab.

Users and Groups are assigned permissions on the object using roles.  If the “Propagate to children” check box is deselected then the permissions are assign at that object only.  If it is checked then the permissions will flow down to the children objects.

These propagated permissions can be overridden further down by applying permission to a child object to the same user or group that was used.  If a user is a member of multiple groups assigned at the same object level with different permissions than the union of both permissions are made. If a user is a member of multiple groups that are applied at different object levels than the permissions set higher in the tree are overridden by the permissions set lower in the tree.  Finally if a user is a member of multiple groups assigned different permissions AND the user account is assigned permissions at the same level, then the permissions assigned to the user account will prevail.

Global permissions are new to vSphere 6 and allow you to assign permission to a solution (vCenter) at a root level (top level).

View/Sort/Export user and group lists

You can view, sort, and export lists of ESX users and groups to a file that is in HTML, XML, Microsoft Excel, or CSV format.

Using the VMware vCenter Web Client, you can View the Users or Groups that have been granted permissions to the object.  From the vCenter Web Client, select a give object, click on Manage in the action pane, then select the Permission tab.
Clicking on the column headers allows the ability to Sort each column, and by click in the bottom right hand corner you have the options of Exporting the list of assigned permissions

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

To remove or modify permissions on inventory object, follow these steps:

  • Select the object in the vCenter object hierarchy to which you want to Remove or Modify the permissions.
  • Click Manage in the action pane and select the Permissions tab
  • To Modify an existing permission, highlight the user or group and click the Pencil icon. Make the necessary changes
  • To Remove an existing permission, highlight the user or group and click the Red X icon

Create/Clone/Edit vCenter Server Roles

Cloning an existing vCenter Server role allows you to create a copy of the role and provide a new/different name to the role. Cloning a role is as easy as:

  • From the Home screen in the vSphere Web client, select Roles under Administration
  • Select the role you want to Clone and click the Clone Role Action icon
  • Provide a new name for the cloned role
  • Change or modify privileges assigned to the role
  • Click OK when complete

To Edit a role complete the following:

  • From the Home screen in the vSphere Web client, select Roles under Administration
  • Select the role you want to Edit and click the Pencil icon
  • Change or modify privileges assigned to the role
  • Click OK when complete

Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

Determine the appropriate set of privileges for common tasks in vCenter Server

Comments are closed.

%d bloggers like this: