Role and Privileges
Vcenter privileges are fairly different than the Active directory (Discretionary access control ) . vCenter uses role based access control - RBAC .
There are three type of roles
System Roles
There are 3 type of system roles these are default and cannot be changed
Sample Roles : default sample roles are
Custom Roles:
When you create additional roles in the vCenter are called custom roles.
How Permissions are applied and inherited ?
Vcenter privileges are fairly different than the Active directory (Discretionary access control ) . vCenter uses role based access control - RBAC .
There are three type of roles
- System
- Sample
- Custom
System Roles
There are 3 type of system roles these are default and cannot be changed
- NO access - User cannt see the object
- Read Only - User can see the object but right click options are grayed out
- Administrator - users have all the privilege on the object
Sample Roles : default sample roles are
- Virtual machine power on
- Datastore consumer
- Network consumer
- Virtual Machine User
- Resource Pool administrator
- vmware consolidated backup user
Note : Its advised not to change the Sample roles . Its better to clone the roles and apply to the object
Custom Roles:
When you create additional roles in the vCenter are called custom roles.
How Permissions are applied and inherited ?
- Permissions applied on the objects supersedes a permission that is inherited
- Permissions applied on the user supersedes permission which is inherited from being part of a group.
Examples :
- User A - has admin access on DataCenter and No Access on VM1.Result : This implies User A can see and modify all the objects under the datacenter but he cant see VM1
- Group_A - Power on VMGroup_B - take SnapshotUser_A - Memeber of Group_A and Group_BUser_B- Group_AUser_C- Group_BResult : User_A can power on and take snapshot of all the vmsUser_B - Can take snapshot of vms but cant power on the vmUser_C - can only power on the machine
- Group_A : Administrator
Group_B: Read only VM2
User_A : Group_A , Group_B
User_B : Group_A
User_C: Group_B
Result : User_A : Can see and perform admin activity on all the objects accept VM2
User_B : Has Administrative privilege on all the object including the vm2
User_C : Can see only VM2 , no other objects in the datacenter - Group_A - Power on VMGroup_B - Take Snapshot
User_A - ReadOnly on Datacenter
Result : Even though user is part of both groups A and B , user will be able to see only the objects but all the options will be grayed out.
No comments:
Post a Comment