As a system administrator (or virtualization administrator, in this case), you will often be called upon to perform such or such modification on a server, a router, ...
In the case of VMware ESXi, as with other technologies (including Active Directory), it's possible to create additional users with limited rights to be able to delegate some common tasks without giving them too many rights.
To delegate some tasks to people you trust (whether managers or employees), you will always need to use a combination of 3 elements : user accounts, roles and permissions.
In this tutorial, you will see how to add, edit and delete each of these items and how to configure them on different types of objects (host server, virtual machines, storage or port group).
To be able to grant such or such right to a user on such or such object, VMware ESXi uses a role system.
To see the list of roles available by default, go to : Host -> Manage -> Security & users -> Roles.
As you can see, by default, VMware ESXi provides different roles :
Although there are default roles with predefined permissions for them, you can also create your own roles to be able to manage the granting of permissions in more detail.
To do this, click on : Add role.
To add a role, you will need to :
As you can see, you will be able to grant or not grant privileges for :
If you click on one of the available privilege categories, you will be able to carefully manage the privileges relating to the desired category.
For this tutorial, we have only granted management of virtual machines.
However, this may not be sufficient depending on the specific actions the user will attempt to perform.
Indeed, although he will be able to access the list of virtual machines, start them and use them (for example), he will not be able to create additional virtual hard disks for them.
Indeed, for that, you will also have to grant additional privileges located in the category "Datastore". And in particular, the "AllocateSpace" privilege which allows space to be allocated in a datastore.
To return to the root of the list of available privilege categories, click on the "Root" element of the breadcrumb trail.
Then, once you have checked all the rights to be assigned to users using this role, click on : Add.
Your new role has been added.
To get started, be aware that the predefined roles can't be changed.
Moreover, if you select one in the list of roles, you will see that the "Edit role" option will be grayed out.
But, by selecting one of the custom roles that you added, you will be able to click on "Edit role".
As expected, you will be able to change the name of this role, as well as the list of privileges associated with it.
Note that VMware ESXi may have automatically added some rights to your custom role. As is the case here, with the "System" privilege category which was automatically checked by the VMware ESXi hypervisor.
WARNING : if you have already assigned this role for several users on your hypervisor, pay attention to the rights that you are going to change here since this will change the rights for all these users on the desired objects.
You may therefore accidentally assign rights to some users without wanting to, or even without realizing it at the time.
To delete a role, select it in the list and click on : Remove role.
Select the "Remove only if unused" check box, then click Yes to confirm the removal of this role.
If this role is no longer used on your VMware ESXi hypervisor, the "Role [role name] successfully removed" message will appear.
Otherwise, the "Failed to remove role" error will occur and the desired role will not be removed.
Once you have grouped the different privileges to be granted to your future users thanks to the roles, you will have to create user accounts for them.
In business, creating users allows you to grant different rights depending on the user, but also to control what they do.
This way, if something goes wrong, you can easily tell which person did the wrong thing or something they shouldn't have done.
To manage the users of your VMware ESXi hypervisor, go to : Host -> Manage -> Security & Users -> Users.
As you can see, by default only the "root" account is present in this user list.
To add a user, simply click on : Add User.
In the "Add a user" window that appears, specify :
Then, click on : Add.
The "User [user name] added successfully" message appears.
To edit a user, select it in the list and click on : Edit user.
As you can see, you can change its description and password, if needed.
To remove a user, select it in the list and click on : Remove user.
Answer Yes to the "Are you sure you want to remove user: [user name]?" question.
The message "User [user name] successfully removed" appears.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.