VSICM51_M09_AccessControl_
Transcript of VSICM51_M09_AccessControl_
-
8/13/2019 VSICM51_M09_AccessControl_
1/33
2012 VMware Inc. All rights reserved
Access and Authentication Control
Module 9
-
8/13/2019 VSICM51_M09_AccessControl_
2/33
-
8/13/2019 VSICM51_M09_AccessControl_
3/33
9-3
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
When multiple users are accessing the VMware vSphere
environment, a best practice is to give each user only the necessarypermissions and nothing more. VMware vCenter Server allowsflexible assignment of permissions.
Importance
-
8/13/2019 VSICM51_M09_AccessControl_
4/33
9-4
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Lesson 1: Configuring ESXi Host Access and Authentication
Lesson 2: Configuring Roles and Permissions
Lesson 3: vShield Endpoint in vSphere 5.1
Module Lessons
-
8/13/2019 VSICM51_M09_AccessControl_
5/33
9-5
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Lesson 1:Configuring ESXi Host Access and
Authentication
-
8/13/2019 VSICM51_M09_AccessControl_
6/33
9-6
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
After this lesson, you should be able to do the following:
Configure the VMware vSphere ESXi firewall by enabling anddisabling services.Enable and disable lockdown mode on an ESXi host.Configure user logins to authenticate with directory services.
Learner Objectives
-
8/13/2019 VSICM51_M09_AccessControl_
7/33
9-7
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Configuring Security Profile Services
-
8/13/2019 VSICM51_M09_AccessControl_
8/33
9-8
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Configuring the ESXi Firewall
-
8/13/2019 VSICM51_M09_AccessControl_
9/33
9-9
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Enabling and Disabling Lockdown Mode
-
8/13/2019 VSICM51_M09_AccessControl_
10/33
9-10
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Integrating ESXi with Active Directory
-
8/13/2019 VSICM51_M09_AccessControl_
11/33
9-11
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
You should be able to do the following:
Configure the ESXi firewall by enabling and disabling services.Enable and disable lockdown mode on an ESXi host.Configure user logins to authenticate with directory services.
Review of Learner Objectives
-
8/13/2019 VSICM51_M09_AccessControl_
12/33
9-12
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Lesson 2:
Configuring Roles and Permissions
-
8/13/2019 VSICM51_M09_AccessControl_
13/33
9-13
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
After this lesson, you should be able to do the following:
Define a permission.Describe the rules for applying permissions.Create a custom role.Create a permission.
Learner Objectives
-
8/13/2019 VSICM51_M09_AccessControl_
14/33
9-14
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
The access control system allows the vCenter Server administrator
to define a users privileges to access objects in the inventory. Key concepts:
Privilege Defines anaction that can beperformedRole A set of privilegesObject The target of theactionUser/group Indicateswho can perform theaction
Together, a role, a user or group, and an object define a permission.
Access Control Overview
-
8/13/2019 VSICM51_M09_AccessControl_
15/33
9-15
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
vCenter Server or ESXi users/groups can be local users or Active
Directory (AD) domain users.AD services provides authentication for all local services:
VMware vSphere Client Direct console user interface
Technical support mode (local and remote) Access through the VMware vSphere API
Users who are in the AD group ESX Admins are automaticallyassigned the Administrator role.
Users and Groups
-
8/13/2019 VSICM51_M09_AccessControl_
16/33
9-16
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Roles are collections of privileges:They allow users to perform tasks.They are grouped in categories.
Roles include system roles, sample roles,and custom-built roles.
Roles
-
8/13/2019 VSICM51_M09_AccessControl_
17/33
9-17
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Objects are entities on which actions are performed.
Objects include datacenters, folders, resource pools, clusters, hosts,datastores, networks, and virtual machines.
All objects have a Permissions tab.This tab shows which user or group and role are associated with theselected object.
Objects
-
8/13/2019 VSICM51_M09_AccessControl_
18/33
9-18
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
To assign a
permission:1. Select a user.2. Select a role.3. (Optional)
Propagate thepermission tochild objects.
Assigning Permissions
-
8/13/2019 VSICM51_M09_AccessControl_
19/33
9-19
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
The Roles pane shows which users are assigned the selected role on
a particular object.
Viewing Roles and Assignments
-
8/13/2019 VSICM51_M09_AccessControl_
20/33
9-20
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
A permission can propagate down the object hierarchy to all
subobjects or it can apply only to an immediate object.
Applying Permissions: Scenario 1
Greg A dmin i s t r a to r
Greg No Access
-
8/13/2019 VSICM51_M09_AccessControl_
21/33
9-21
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
When a user is a member of multiple groups with permissions on the
same object:The user is assigned the union of privileges assigned to the groups forthat object.
Applying Permissions: Scenario 2
Group1 VM_Power_On (custo m ro le)Group2 Take_Snapsho ts (cus tom r ole)
Members of Group1:Greg
Susan
Members of Group2:Greg
Carla
-
8/13/2019 VSICM51_M09_AccessControl_
22/33
9-22
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
When a user is a member of multiple groups with permissions on
different objects:For each object on which the group has permissions, the samepermissions apply as if they were granted directly to the user.
Applying Permissions: Scenario 3
Group1 Adm in i s t ra to r
Group2 Read-only
Members of Group1:
GregSusan
Members of Group2:
GregCarla
-
8/13/2019 VSICM51_M09_AccessControl_
23/33
9-23
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Permissions defined explicitly for the user on an object take
precedence over all group permissions on that same object.
Applying Permissions: Scenario 4
Group1 VM_Power_On (custo m ro le)
Group2 Take_Snapsho ts (cus tom r ole)
Greg Read-only
Members of Group1:Greg
Susan
Members of Group2:Greg
Carla
-
8/13/2019 VSICM51_M09_AccessControl_
24/33
9-24
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Create roles that enable only
the necessary tasks:Example: Virtual MachineCreator
Use folders to contain thescope of permissions:
For example, assign the VirtualMachine Creator role to userNancy and apply it to theFinance folder.
Creating a Role
Virtual Machine Creator role
Datastore > Allocate space
Network > Assign network
Resource > Assign virtualmachine to resource pool
Virtual machine > Inventory >Create new
Virtual machine > Configuration > Add new disk
Virtual machine > Configuration > Add or remove device
-
8/13/2019 VSICM51_M09_AccessControl_
25/33
9-25
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
In this lab, you will manage user access permissions.
1. Try to log in directly to the ESXi host.2. Grant nonadministrator access to a user.3. Explore the ESX Admins AD group.
Lab 14
-
8/13/2019 VSICM51_M09_AccessControl_
26/33
9-26
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
In this lab, you will use a custom user role.
1. Create a custom role in vCenter Server.2. Assign permissions on vCenter Server inventory objects.3. Verify permission usability.
Lab 15
-
8/13/2019 VSICM51_M09_AccessControl_
27/33
9-27
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
You should be able to do the following:
Define a permission.Describe the rules for applying permissions.Create a custom role.Create a permission.
Review of Learner Objectives
-
8/13/2019 VSICM51_M09_AccessControl_
28/33
9-28
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Lesson 3:
vShield Endpoint in vSphere 5.1
-
8/13/2019 VSICM51_M09_AccessControl_
29/33
9-29
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
After this lesson, you should be able to do the following:
Describe how VMware vShield and vSphere fit into a cloudinfrastructure.Explain how VMware vShield Endpoint is integrated into vSphere.
Learner Objectives
-
8/13/2019 VSICM51_M09_AccessControl_
30/33
9-30
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
VMware vShield: Foundation for a Trusted Cloud
virtual datacenter 2virtual
datacenter 1
PCIHIPAAWebDMZ
VMware vShield Manager
Securing the cloud from edge to endpoint
VMwarevShield App
Protect applications fromthreats with trust zones.
VMware vShieldEdge
Secure the edge ofthe virtual datacenter.
vShield Endpoint
Streamline and accelerateantivirus solutions.
Protect againstdata leaks.
with Data Security
-
8/13/2019 VSICM51_M09_AccessControl_
31/33
9-31
2012 VMware Inc. All rights reserved
VMware vSphere: Install, Configure, Manage Revision A
Secure your virtual machines withoffloaded anti-virus and anti-malware(AV) solutions without the need of agentsIncluded with vSphere
Simplified AV administration
Higher consolidation ratios by preventing
the possibility of AV storms
Improved performance
vShield Endpoint
Overview
Benefits
-
8/13/2019 VSICM51_M09_AccessControl_
32/33
-
8/13/2019 VSICM51_M09_AccessControl_
33/33