Access Control

Module 8

Module 2-2

You Are Here

VMware vSphere 4.1: Install, Configure, Manage – Revision A

vSphere Environment

Introduction to VMware Virtualization

VMware ESX and ESXi

VMware vCenter Server

Networking

Storage

Virtual Machines

Operations

Resource Monitoring

Data Protection

Scalability

High Availability

Patch Management

Installing VMware ESX and ESXi

Access Control

Module 2-3

Importance

VMware vSphere 4.1: Install, Configure, Manage – Revision A

When multiple users are accessing the VMware vSphere™ environment, a best practice is to give each user only the necessary permissions and nothing more. VMware vCenter™ Server allows flexible assignment of permissions.

Module 2-4

Module Objectives

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Define a permission

Describe the rules for applying permissions

Create a custom role

Create a permission

Module 2-5

Access Control Overview

VMware vSphere 4.1: Install, Configure, Manage – Revision A

The access control system allows the vCenter Server administrator to define a user’s privileges to access objects in the inventory.

Key concepts:

Privilege – Defines an action that can be performed

Role – A set of privileges

Object – The target of the action

User/group – Indicates who can perform the action

Together, a role, a user or group, and an object define a permission.

Module 2-6

Users and Groups

VMware vSphere 4.1: Install, Configure, Manage – Revision A

vCenter Server or VMware® ESX™/ESXi users/groups can be local users or Active Directory domain users.

Active Directory services provides authentication for all local services:

VMware vSphere™ Client

Direct console user interface

Technical support mode (local and remote)

Access through the vSphere API

Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.

Module 2-7

Roles

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Roles are collections of privileges:

They allow users to perform tasks.

They are grouped in categories.

Roles include system roles, sample roles, and custom-built roles.

Module 2-8

Objects

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Objects are entities on which actions are performed.

Objects include datacenters, folders, resource pools, clusters, hosts, datastores, networks, and virtual machines.

All objects have a Permissions tab.

This tab shows which user or group and role are associated with the selected object.

Module 2-9

Assigning Permissions

VMware vSphere 4.1: Install, Configure, Manage – Revision A

To assign a permission:

1. Select a user.

2. Select a role.

3. (Optional)Propagate the permission to child objects.

Module 2-10

Viewing Roles and Assignments

VMware vSphere 4.1: Install, Configure, Manage – Revision A

The Roles pane shows which users are assigned the selected role on a particular object.

Module 2-11

Applying Permissions: Scenario 1

VMware vSphere 4.1: Install, Configure, Manage – Revision A

A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object.

Greg – Administrator

Greg – No Access

Module 2-12

Applying Permissions: Scenario 2

VMware vSphere 4.1: Install, Configure, Manage – Revision A

When a user is a member of multiple groups with permissions on the same object:

The user is assigned the union of privileges assigned to the groups for that object.

Group1 – VM_Power_On (custom role)

Group2 – Take_Snapshots (custom role)

Members of Group1:

Greg

Susan

Members of Group2:

Greg

Carla

Module 2-13

Applying Permissions: Scenario 3

VMware vSphere 4.1: Install, Configure, Manage – Revision A

When a user is a member of multiple groups with permissions on different objects:

For each object on which the group has permissions, the same permissions apply as if they were granted directly to the user.

Group1 – Administrator

Group2 – Read-only

Members of Group1:

Greg

Susan

Members of Group2:

Greg

Carla

Module 2-14

Applying Permissions: Scenario 4

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object.

Group1 – VM_Power_On (custom role)

Group2 – Take_Snapshots (custom role)

Greg – Read-only

Members of Group1:

Greg

Susan

Members of Group2:

Greg

Carla

Module 2-15

Creating a Role

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Create roles that enable only the necessary tasks:

Example: Virtual Machine Creator

Use folders to contain the scope of permissions:

For example, assign the Virtual Machine Creator role to user Nancy and apply it to the Finance folder.

Virtual Machine Creator role

Datastore > Allocate space

Network > Assign network

Resource > Assign virtual machine to resource pool

Virtual machine > Inventory > Create new

Virtual machine > Configuration > Add new disk

Virtual machine > Configuration > Add or remove device

Module 2-16

Lab 13

VMware vSphere 4.1: Install, Configure, Manage – Revision A

In this lab, you will manage user access permissions.

1. Configure an ESXi host to use directory services.

2. Use Active Directory accounts to verify proper access to your ESXi host.

3. Create a custom role in vCenter Server.

4. Assign permissions on vCenter Server inventory objects.

5. Verify permission usability.

Module 2-17

Module Summary

VMware vSphere 4.1: Install, Configure, Manage – Revision A

Define a permission

Describe the rules for applying permissions

Create a custom role

Create a permission

Module 2-18

Key Points

VMware vSphere 4.1: Install, Configure, Manage – Revision A

A permission is a combination of a user or group and role that is applied to an object in the inventory.

A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object.

As a best practice, define a role using the smallest number of privileges possible for better security and added control.