Access Control Module 8. Module 2-275 You Are Here VMware vSphere 4.1: Install, Configure, Manage...
-
Upload
geraldine-davidson -
Category
Documents
-
view
230 -
download
0
Transcript of Access Control Module 8. Module 2-275 You Are Here VMware vSphere 4.1: Install, Configure, Manage...
Access Control
Module 8
Module 2-2
You Are Here
VMware vSphere 4.1: Install, Configure, Manage – Revision A
vSphere Environment
Introduction to VMware Virtualization
VMware ESX and ESXi
VMware vCenter Server
Networking
Storage
Virtual Machines
Operations
Resource Monitoring
Data Protection
Scalability
High Availability
Patch Management
Installing VMware ESX and ESXi
Access Control
Module 2-3
Importance
VMware vSphere 4.1: Install, Configure, Manage – Revision A
When multiple users are accessing the VMware vSphere™ environment, a best practice is to give each user only the necessary permissions and nothing more. VMware vCenter™ Server allows flexible assignment of permissions.
Module 2-4
Module Objectives
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Define a permission
Describe the rules for applying permissions
Create a custom role
Create a permission
Module 2-5
Access Control Overview
VMware vSphere 4.1: Install, Configure, Manage – Revision A
The access control system allows the vCenter Server administrator to define a user’s privileges to access objects in the inventory.
Key concepts:
Privilege – Defines an action that can be performed
Role – A set of privileges
Object – The target of the action
User/group – Indicates who can perform the action
Together, a role, a user or group, and an object define a permission.
Module 2-6
Users and Groups
VMware vSphere 4.1: Install, Configure, Manage – Revision A
vCenter Server or VMware® ESX™/ESXi users/groups can be local users or Active Directory domain users.
Active Directory services provides authentication for all local services:
VMware vSphere™ Client
Direct console user interface
Technical support mode (local and remote)
Access through the vSphere API
Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.
Module 2-7
Roles
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Roles are collections of privileges:
They allow users to perform tasks.
They are grouped in categories.
Roles include system roles, sample roles, and custom-built roles.
Module 2-8
Objects
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Objects are entities on which actions are performed.
Objects include datacenters, folders, resource pools, clusters, hosts, datastores, networks, and virtual machines.
All objects have a Permissions tab.
This tab shows which user or group and role are associated with the selected object.
Module 2-9
Assigning Permissions
VMware vSphere 4.1: Install, Configure, Manage – Revision A
To assign a permission:
1. Select a user.
2. Select a role.
3. (Optional)Propagate the permission to child objects.
Module 2-10
Viewing Roles and Assignments
VMware vSphere 4.1: Install, Configure, Manage – Revision A
The Roles pane shows which users are assigned the selected role on a particular object.
Module 2-11
Applying Permissions: Scenario 1
VMware vSphere 4.1: Install, Configure, Manage – Revision A
A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object.
Greg – Administrator
Greg – No Access
Module 2-12
Applying Permissions: Scenario 2
VMware vSphere 4.1: Install, Configure, Manage – Revision A
When a user is a member of multiple groups with permissions on the same object:
The user is assigned the union of privileges assigned to the groups for that object.
Group1 – VM_Power_On (custom role)
Group2 – Take_Snapshots (custom role)
Members of Group1:
Greg
Susan
Members of Group2:
Greg
Carla
Module 2-13
Applying Permissions: Scenario 3
VMware vSphere 4.1: Install, Configure, Manage – Revision A
When a user is a member of multiple groups with permissions on different objects:
For each object on which the group has permissions, the same permissions apply as if they were granted directly to the user.
Group1 – Administrator
Group2 – Read-only
Members of Group1:
Greg
Susan
Members of Group2:
Greg
Carla
Module 2-14
Applying Permissions: Scenario 4
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object.
Group1 – VM_Power_On (custom role)
Group2 – Take_Snapshots (custom role)
Greg – Read-only
Members of Group1:
Greg
Susan
Members of Group2:
Greg
Carla
Module 2-15
Creating a Role
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Create roles that enable only the necessary tasks:
Example: Virtual Machine Creator
Use folders to contain the scope of permissions:
For example, assign the Virtual Machine Creator role to user Nancy and apply it to the Finance folder.
Virtual Machine Creator role
Datastore > Allocate space
Network > Assign network
Resource > Assign virtual machine to resource pool
Virtual machine > Inventory > Create new
Virtual machine > Configuration > Add new disk
Virtual machine > Configuration > Add or remove device
Module 2-16
Lab 13
VMware vSphere 4.1: Install, Configure, Manage – Revision A
In this lab, you will manage user access permissions.
1. Configure an ESXi host to use directory services.
2. Use Active Directory accounts to verify proper access to your ESXi host.
3. Create a custom role in vCenter Server.
4. Assign permissions on vCenter Server inventory objects.
5. Verify permission usability.
Module 2-17
Module Summary
VMware vSphere 4.1: Install, Configure, Manage – Revision A
Define a permission
Describe the rules for applying permissions
Create a custom role
Create a permission
Module 2-18
Key Points
VMware vSphere 4.1: Install, Configure, Manage – Revision A
A permission is a combination of a user or group and role that is applied to an object in the inventory.
A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object.
As a best practice, define a role using the smallest number of privileges possible for better security and added control.