Total Pageviews

Friday, May 31, 2013

vCenter Roles and Privilages

Role and Privileges

Vcenter privileges are fairly different than the  Active directory (Discretionary access control ) . vCenter uses role based access control - RBAC .

There are three type of roles 

  • System
  • Sample
  • Custom 

System Roles

There are 3 type of system roles these are default and cannot be changed

  • NO access  - User cannt see the object
  • Read Only - User can see the object but right click options are grayed out
  • Administrator - users have all the privilege on the object

Sample Roles : default sample roles are 

  • Virtual machine power on 
  • Datastore consumer
  • Network consumer
  • Virtual Machine User
  • Resource Pool administrator
  • vmware consolidated backup user
Note : Its advised not to change the Sample roles . Its better to clone the roles and apply to the object

Custom Roles:

When you create additional roles in the vCenter are called custom roles.

How Permissions are applied and inherited ?

  • Permissions applied on the objects supersedes a permission that is inherited
  • Permissions applied on the user supersedes permission which is inherited from being part of a group.
Examples :

  • User A - has admin access on DataCenter and No Access on VM1.Result  : This implies User A can see and modify all the objects under the datacenter but he cant see VM1
  • Group_A - Power on VMGroup_B - take SnapshotUser_A - Memeber of Group_A and Group_BUser_B- Group_AUser_C- Group_BResult : User_A can power on and take snapshot of all the vmsUser_B - Can take snapshot of vms but cant power on the vmUser_C - can only power on the machine
  • Group_A : Administrator
    Group_B: Read only VM2
    User_A : Group_A , Group_B
    User_B : Group_A
    User_C: Group_B
    Result : User_A : Can see and perform admin activity on all the objects accept VM2
    User_B : Has Administrative privilege on all the object including the vm2
    User_C : Can see only VM2 , no other objects in the datacenter
  • Group_A - Power on VMGroup_B - Take Snapshot
    User_A - ReadOnly on Datacenter
    Result : Even though user is part of both groups A and B , user will be able to see only the objects but all the options will be grayed out.

No comments:

Post a Comment