VSICM51_M09_AccessControl_

8/13/2019 VSICM51_M09_AccessControl_

1/33

2012 VMware Inc. All rights reserved

Access and Authentication Control

Module 9


2/33


3/33

9-3


VMware vSphere: Install, Configure, Manage Revision A

When multiple users are accessing the VMware vSphere

environment, a best practice is to give each user only the necessarypermissions and nothing more. VMware vCenter Server allowsflexible assignment of permissions.

Importance


4/33

9-4



Lesson 1: Configuring ESXi Host Access and Authentication

Lesson 2: Configuring Roles and Permissions

Lesson 3: vShield Endpoint in vSphere 5.1

Module Lessons


5/33

9-5



Lesson 1:Configuring ESXi Host Access and

Authentication


6/33

9-6



After this lesson, you should be able to do the following:

Configure the VMware vSphere ESXi firewall by enabling anddisabling services.Enable and disable lockdown mode on an ESXi host.Configure user logins to authenticate with directory services.

Learner Objectives


7/33

9-7



Configuring Security Profile Services


8/33

9-8



Configuring the ESXi Firewall


9/33

9-9



Enabling and Disabling Lockdown Mode


10/33

9-10



Integrating ESXi with Active Directory


11/33

9-11



You should be able to do the following:

Configure the ESXi firewall by enabling and disabling services.Enable and disable lockdown mode on an ESXi host.Configure user logins to authenticate with directory services.

Review of Learner Objectives


12/33

9-12



Lesson 2:

Configuring Roles and Permissions


13/33

9-13




Define a permission.Describe the rules for applying permissions.Create a custom role.Create a permission.

Learner Objectives


14/33

9-14



The access control system allows the vCenter Server administrator

to define a users privileges to access objects in the inventory. Key concepts:

Privilege Defines anaction that can beperformedRole A set of privilegesObject The target of theactionUser/group Indicateswho can perform theaction

Together, a role, a user or group, and an object define a permission.

Access Control Overview


15/33

9-15



vCenter Server or ESXi users/groups can be local users or Active

Directory (AD) domain users.AD services provides authentication for all local services:

VMware vSphere Client Direct console user interface

Technical support mode (local and remote) Access through the VMware vSphere API

Users who are in the AD group ESX Admins are automaticallyassigned the Administrator role.

Users and Groups


16/33

9-16



Roles are collections of privileges:They allow users to perform tasks.They are grouped in categories.

Roles include system roles, sample roles,and custom-built roles.

Roles


17/33

9-17



Objects are entities on which actions are performed.

Objects include datacenters, folders, resource pools, clusters, hosts,datastores, networks, and virtual machines.

All objects have a Permissions tab.This tab shows which user or group and role are associated with theselected object.

Objects


18/33

9-18



To assign a

permission:1. Select a user.2. Select a role.3. (Optional)

Propagate thepermission tochild objects.

Assigning Permissions


19/33

9-19



The Roles pane shows which users are assigned the selected role on

a particular object.

Viewing Roles and Assignments


20/33

9-20



A permission can propagate down the object hierarchy to all

subobjects or it can apply only to an immediate object.

Applying Permissions: Scenario 1

Greg A dmin i s t r a to r

Greg No Access


21/33

9-21



When a user is a member of multiple groups with permissions on the

same object:The user is assigned the union of privileges assigned to the groups forthat object.


Group1 VM_Power_On (custo m ro le)Group2 Take_Snapsho ts (cus tom r ole)

Members of Group1:Greg

Susan


Carla


22/33

9-22



When a user is a member of multiple groups with permissions on

different objects:For each object on which the group has permissions, the samepermissions apply as if they were granted directly to the user.


Group1 Adm in i s t ra to r

Group2 Read-only

Members of Group1:

GregSusan

Members of Group2:

GregCarla


23/33

9-23



Permissions defined explicitly for the user on an object take

precedence over all group permissions on that same object.


Group1 VM_Power_On (custo m ro le)

Group2 Take_Snapsho ts (cus tom r ole)

Greg Read-only


Susan


Carla


24/33

9-24



Create roles that enable only

the necessary tasks:Example: Virtual MachineCreator

Use folders to contain thescope of permissions:

For example, assign the VirtualMachine Creator role to userNancy and apply it to theFinance folder.

Creating a Role

Virtual Machine Creator role

Datastore > Allocate space

Network > Assign network

Resource > Assign virtualmachine to resource pool

Virtual machine > Inventory >Create new

Virtual machine > Configuration > Add new disk

Virtual machine > Configuration > Add or remove device


25/33

9-25



In this lab, you will manage user access permissions.

1. Try to log in directly to the ESXi host.2. Grant nonadministrator access to a user.3. Explore the ESX Admins AD group.

Lab 14


26/33

9-26



In this lab, you will use a custom user role.

1. Create a custom role in vCenter Server.2. Assign permissions on vCenter Server inventory objects.3. Verify permission usability.

Lab 15


27/33

9-27



You should be able to do the following:

Define a permission.Describe the rules for applying permissions.Create a custom role.Create a permission.

Review of Learner Objectives


28/33

9-28



Lesson 3:

vShield Endpoint in vSphere 5.1


29/33

9-29




Describe how VMware vShield and vSphere fit into a cloudinfrastructure.Explain how VMware vShield Endpoint is integrated into vSphere.

Learner Objectives


30/33

9-30



VMware vShield: Foundation for a Trusted Cloud

virtual datacenter 2virtual

datacenter 1

PCIHIPAAWebDMZ

VMware vShield Manager

Securing the cloud from edge to endpoint

VMwarevShield App

Protect applications fromthreats with trust zones.

VMware vShieldEdge

Secure the edge ofthe virtual datacenter.

vShield Endpoint

Streamline and accelerateantivirus solutions.

Protect againstdata leaks.

with Data Security


31/33

9-31



Secure your virtual machines withoffloaded anti-virus and anti-malware(AV) solutions without the need of agentsIncluded with vSphere

Simplified AV administration

Higher consolidation ratios by preventing

the possibility of AV storms

Improved performance

vShield Endpoint

Overview

Benefits


32/33


33/33

VSICM51_M09_AccessControl_

Documents

Transcript of VSICM51_M09_AccessControl_