Manage roles, users and permissions on VMware vSphere 6.7

4. Add a user and grant them permission on a specific object

Now that you learned how to manage roles and users, as well as where you could set permissions, we'll show you a real-world example.
In this example, we will create a new user named "AdminVM" to whom we will grant the role "Virtual machine user (sample)" to authorize him to manage virtual machines.

To get started, go to the menu and click on: Administration.
Next, go to the "Single Sign-On -> Users and Groups" section and select the "vsphere.local" domain.
Click on the "ADD" link and create this "AdminVM" user.

As explained previously, permissions can be defined in several places and in particular on the object corresponding to your VMware vCenter Server.
In our case, this is called: vcsa.informatiweb.lan.

To add a permission to your VMware vCenter Server, right-click "Add Permission" on it.

Or select it on the left and go to the "Permissions" tab of it.
Then, click on the "+" icon above the list of permissions defined on this vCenter Server.

In the form that appears:

• select the domain "vsphere.local" (which corresponds to the default SSO domain of your VMware vCenter Server)
• indicate "Admin" and you will see that your server automatically offers you several users whose name is "Admin".
  Click on the "AdminVM" user created previously.

Select the role you want to assign to it.
For this example: the "Virtual machine user (sample)" role natively present in VMware vCenter Server.

Since the role is for managing virtual machines and you are adding this permission on your VMware vCenter Server, you need to check the "Propagate to children" box.
Thus, this permission will apply to all the children of your VMware vCenter server, of which your virtual machines are also a part.

The added permission appears in the permissions list of your VMware vCenter Server.

5. Test the permissions granted to a user

To begin, in the "Permissions" tab of the selected VMware vCenter Server, you will see that the added permission is defined in: This object and its children.
Which means that this permission has been added to this object, but that it will also apply to the children of this object.

If you look at the permissions set for one of your virtual machines, you will see that the same permission is also displayed for this object.
The reason is simple: your VMware vCenter Server displays the permissions defined on the selected object, as well as those that apply to this object by inheritance (propagation of the permission to children).

However, this time, your server tells you that this permission has been defined on the object representing your VMware vCenter Server (in our case: vcsa.informatiweb.lan).

To test the permissions granted to this user, log out of the vSphere client by clicking on your user name in the top right, then: Log out.

Log in as "AdminVM@vsphere.local" (remembering to specify the SSO domain this user is concerned with).
As you can see, although the "Virtual machine user (sample)" role is supposed to allow the user to interact with virtual machines, manage scheduled tasks, and cancel tasks, you still have the ability to to see information about the VMware vCenter Server where you previously set permission.

Of course, you also have the possibility to see information concerning the virtual machines, but also to manage them.

For example, you can start a virtual machine if you wish.

As well as accessing the console of these, given that the rights allowing you to interact with them have been granted to you thanks to the role "Virtual machine user (sample)" selected when adding the permission.

If you right-click on the object corresponding to your VMware vCenter Server, you will quickly see that you only have read-only access to it, since permission has been set on this object , but you do not have privileges in this case for managing VMware vCenter Server servers.

Same for data centers that are children of your VMware vCenter Server.
You will only have read-only access to these, since you do not have data center privileges in this case.

For context menu options that are not grayed out, you will see that the options there will be grayed out.

6. Test by setting permission on a specific object instead of a parent object

Depending on your needs, you may want your user to not know too much about your infrastructure for security reasons (mainly).
To do this, define the permission directly on the desired object (in this case: a virtual machine) or on a parent object (for example: a folder) which is as close as possible to the object(s) on which you want apply this permission.

As you can see, the permission we had previously set on our VMware vCenter Server is no longer present.

For the example, we removed the previous permission and added it with the same values on our "Win 10 v2004 x64" virtual machine.

Log in with the "AdminVM" user used for this example and you will see that almost everything is hidden.
Indeed, given that the permission was added to a specific object (in this case: the "Win 10 v2004 x64" virtual machine), your VMware vCenter Server only displays the names of the different parent objects.
If you select the VMware vCenter Server (eg: vcsa.informatiweb.lan) on the left, your server will not show you anything. Apart from the message "You do not have permissions to view this object or this object does not exist".

Same for the VMware ESXi host running this virtual machine.

However, you will be able to access all the information concerning the virtual machine on which you added the permission with the "Virtual machine user (sample)" role.

And since this role allows you, you will also be able to interact with this virtual machine and start it.