VCP 6 Objective 1.1–Configure & Administer Role-Based Access Control

For this objective I used the following resources:

  • vSphere Security Guide

Objective 1.1 – Configure & Administer Role-Based Access Control

Knowledge

Identify Common vCenter Server Privileges and Roles

For access and authentication VMware leverages the concept of roles and privileges. A role in VMware is a grouping of privileges that can be assigned to an object. Users or groups are associated with the role. In VMware there are four types of permissions that can be leveraged:

  • vCenter Server Permissions – The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy of that vCenter Server. Each
    permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select an ESXi host and assign a role to a group of users to give those users the corresponding privileges on that host.
  • Global Permissions – Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vCenter Orchestrator are installed,
    you can give permissions to all objects in both object hierarchies using global permissions.
  • Group Membership in vSphere.local Groups –  The user administrator@vsphere.local can perform tasks that are associated with services included with the Platform Services Controller. In addition, members of a vsphere.local group can perform the corresponding task. For example, you can perform license management if you are a member of the LicenseService.Administrators group.
  • ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users.

Out of the box VMware vCenter provides several default roles (that cannot be deleted nor modified) as well as several sample roles (which can be deleted and modified):

  • Administrator
  • Read-Only
  • No Access
  • Tagging Admin
  • Resource Pool Administrator (sample)
  • Virtual Machine User (sample)
  • VMware Consolidated Backup User (sample)
  • Datastore Consumer (sample)
  • Network Administrator (sample)
  • Virtual Machine Power User (sample)
  • Content Library Administrator (sample)

Describe How Permissions are Applied and Inherited in vCenter Server

Permissions are assigned in VMware vCenter by associating a role (grouping of privileges) to an object the vCenter hierarchy, for example a Datastore or a particular virtual machine. vCenter leverages an identity source defined (typically Active Directory) in vCenter Single-Sign On to authenticate users or groups.

vSphere_Permissions

Picture Provided by VMware

To assign permissions to an object, you follow these steps:

  • Select the object in the vCenter object hierarchy to which you want to apply the permission.
  • Right click on the object and select Add Permission
  • Select the specified role from the drop down list and select Add under the Users and Groups section
  • Add the required users or groups and click OK

In the example below I have added the Lab\Domain Admins group to the defined administrators Role to my vCenter ESXi6 cluster Object:

Add_Permissions

VMware vCenter permissions are hierarchal, meaning permissions will flow down from a parent object to a child object. The Propagation of  permissions is enabled by default, but can be removed by clearing the Propagate to children check box:


Propagate_Permissions

If a user belongs to multiple groups that have assigned permissions on a vCenter object, his/her effecitve permissions will be the culmination of both permission sets.

View/Sort/Export User and Group Lists

Using the VMware vCenter Web Client, you can View the Users or Groups that have been granted permissions to the object.  From the vCenter Web Client, select a give object, click on Manage in the action pane, then select the Permission tab. The example below is displaying the permissions at the root of my vCenter, VC02.lab.local:

Manage_Permissions

Clicking on the column headers allows the ability to Sort each column, and by click in the bottom right hand corner you have the options of Exporting the list of assigned permissions. You can either export all or selected permissions to a .CSV file or copy them to your clipboard:

Export_Sort_Permissions

Add/Modify/Remove Permissions for Users and Groups on vCenter Server Inventory Objects

To remove or modify permissions on inventory object, follow these steps:

  • Select the object in the vCenter object hierarchy to which you want to Remove or Modify the permissions.
  • Click Manage in the action pane and select the Permissions tab
  • To Modify an existing permission, highlight the user or group and click the Pencil icon. Make the nessacary changes
  • To Remove an existing permission, highlight the user or group and click the Red X icon

Modify_Remove_Permission

Create/Clone/Edit vCenter Server Roles

Cloning an existing vCenter Server role allows you to create a copy of the role and provide a new/different name to the role. To Clone a role complete the following:

  • From the Home screen in the vSphere Web client, select Roles under Administration
  • Select the role you want to Clone and click the Clone Role Action icon
  • Provide a new name for the cloned role
  • Change or modify privileges assigned to the role
  • Click OK when complete

Clone_Role

To Edit a vCenter Server role complete the following:

  • From the Home screen in the vSphere Web client, select Roles under Administration
  • Select the role you want to Edit and click the Pencil icon
  • Change or modify privileges assigned to the role
  • Click OK when complete

Edit_Role

Determine the Correct Roles/Privileges Needed to Integrate vCenter Server with Other VMware Products

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.

Taken From Page 122 of vSphere 6.0 Security Guide

Determine the Appropriate Set of Privileges for Common Tasks in vCenter Server

Task_Table1

Task_Table2

Tables provided by VMware, Page 128 thru 129 of vSphere 6 Security Guide

Thanks for reading!

-Jason