Thanks to VMware vCenter Server (VCSA), you can manage many things, including: your hosts (VMware ESXi), your clusters, your datastores, ...
You can also access the consoles of your different virtual machines.

However, in business, you will necessarily need to provide limited access to some features of VMware vCenter Server (VCSA) to different users.
To do this, VMware allows you to use predefined roles or create your own to grant permissions to different users and/or user groups on different objects (hosts, virtual machines, datastores, ...).

  1. Manage roles
    1. Role: Virtual machine user (sample)
    2. Role: Virtual machine power user (sample)
    3. Add a custom role
    4. Edit a predefined or custom role
    5. Delete a custom role
  2. Manage users
    1. Add a user
    2. Edit a user
    3. Delete a user
  3. Manage permissions on different objects
    1. Manage global permissions
    2. Manage permissions on a VMware vCenter Server (or VCSA)
    3. Manage permissions on a data center
    4. Manage permissions on a VMware ESXi hosts folder
    5. Manage permissions on a VMware ESXi host (hypervisor)
    6. Manage permissions on a virtual machine (VM)
    7. Manage permissions on a virtual machine (VM) folder
    8. Manage permissions on a datastore
    9. Manage permissions on a virtual network
  4. Add a user and grant them permission on a specific object
  5. Test the permissions granted to a user
  6. Test by setting permission on a specific object instead of a parent object

1. Manage roles

To be able to grant rights (called "privileges" in VMware vCenter Server) to users or user groups, you will need to use or create new roles.
Roles are sets of privileges that you can grant to users or groups of users on the desired objects.

To access the list of predefined roles and/or add others, go to the vSphere Client menu and click: Administration.

Then, go to the section: Access control -> Roles.
As you can see, around ten predefined roles already exist in VMware vCenter Server.
Among these, you will find examples that will allow you to easily grant the necessary privileges for different common actions that you would like to delegate to different users.

In VMware vCenter Server, these predefined roles are:

  • Administrator: allows you to grant all rights to one or more users.
    By default, the "Administrator@vsphere.local" user created during the installation of VMware vCenter Server (VCSA) has this "Administrator" role for the root of your vCenter Server, as well as all child objects.
    This allows it to access all the features offered by vCenter Server.
  • Read-only: allows you to grant read-only rights to one or more objects. The user will therefore not be able to modify the objects on which this role will be applied.
  • No access: allows you to remove rights on a child object to cancel the rights that would have been applied to it via a role applied to a parent object.
  • Tagging Admin: allows the user to create, edit, or delete tags or tag categories. But also to assign or withdraw some.
  • Content library administrator (sample): allows the user to manage content libraries and therefore perform creation, modification, deletion, synchronization, ... operations on them.
  • Resource pool administrator (sample): allows the user to manage resource pools, assign a virtual machine to a resource pool, migrate virtual machines, manage scheduled tasks, ...
  • Network administrator (ssample): allows the user to associate hosts or virtual machines with networks.
  • No cryptography administrator: same as the "Administrator" role (i.e. full access), but without the privileges concerning encryption operations.
  • AutoUpdateUser: privileges required for cross-domain automatic updating.
  • Datastore consumer (sample): allows the user to allocate space on a database to be able to create virtual hard disks or snapshots.
  • Virtual Machine console user: allows the user to access the console of the desired virtual machine.
    Note that this role is required for VMRC sessions used via the VMware Remote Console program (or other compatible software, such as its paid equivalent: VMware Workstation).
  • Virtual machine user (sample): same as role, but also allowing the user to create, run, modify, or delete scheduled tasks.
  • Virtual machine power user (sample): allows the user to access the console of the desired virtual machine, as well as modify its configuration, use the snapshot system on it, manage scheduled tasks, as well as other actions related to virtual machine management.
  • VMware Consolidated Backup user (sample): allows the user to manage snapshots on virtual machines, download virtual machines, ...
  • vSphere Client Solution User: allows the user to manage (save, update, or cancel) extensions (plug-ins).

1.1. Role: Virtual machine user (sample)

When you select a role, for example "Virtual machine user (sample)", vSphere Client will show you a description of that role defined on your VMware vCenter Server (VCSA).
For the "Virtual machine user (sample)" role, VMware tells you that this role will allow the user to interact with the desired virtual machine(s).

In the "Usage" tab of the selected role, you will be able to find out:

  • Defined in: on which objects permissions have been granted using this role
  • User/Group: for which user or group permissions were granted
  • Propagate: if the permissions apply only to the object indicated (false) in the "Defined in" column or also to its children (true).

In the "Privileges" tab of the selected role, you will be able to know the list of privileges that will be granted to the desired users thanks to this role.
Note that these are sorted by privilege categories.

In the case of this role "Virtual machine user (sample)", you will see that this will allow the user to:

  • manage scheduled tasks
  • interact with virtual machines by being able to configure the virtual CD/DVD drive, connect devices, install VMware Tools, manage their power supply, ...

For more information regarding all existing privileges under VMware vCenter Server (VCSA), see the "Defined Privileges" page of the official VMware documentation.

1.2. Role: Virtual machine power user (sample)

For the "Virtual machine power user (sample)" role, VMware will tell you that you will be able to interact, but also manage the configuration of virtual machines.

To learn more about the privileges that will be granted to this user through this role, go to the "Privileges" tab.
As you can see, thanks to this role, the user will be able to:

  • access datastores
  • manage scheduled tasks
  • manage snapshots on virtual machines (VMs)
  • interact with virtual machines (VMs)
  • manage the power of virtual machines (VMs)
  • modify the configuration of virtual machines (VMs) by adapting in particular the system resources allocated to them, create, add or delete virtual hard disks, ...

1.3. Add a custom role

To add a new custom role, click the "+" icon at the top of the list of roles available on your VMware vCenter Server (VCSA).

In the "New Role" window that appears, you can carefully select which privileges you wish to grant or not.
Obviously, all the privileges available under VMware vCenter Server are categorized using a series of privilege categories, some of which are:

  • Alarms: allows you to manage alarms.
  • AutoDeploy: allows you to associate machines, create or modify image profiles, manage strategies, ...
  • Permissions: allows you to modify permissions, privileges, roles, or reassign role permissions.
  • Datastore: allows you to allocate space (to create new virtual hard disks, for example), manage databanks, update virtual machine files, ...
  • Content Library: allows you to display the configuration parameters of the content libraries, to add, publish or delete elements, ...
  • Datacenter: allows you to create, move, reconfigure, ... a data center and manage IP allocation.
  • Distributed switch: allows you to manage distributed switches (or "vSphere Distributed Switch" for vDS).
  • Folder: allows you to create, move, rename or delete folders.
  • Extension: allows you to register, update or unregister an extension (plug-in).
  • Global: allows you to manage vCenter Server settings, licenses, custom attributes, ...
  • Host: allows you to manage the host by managing its power supply, its parameters, its network configuration, the automatic start of virtual machines, ...
  • vSphere Ttagging: allows you to manage tags and tag categories
  • Virtual machine: allows you to interact with a virtual machine, its console, its snapshots, modify its configuration, ...
  • Cryptographic operations...
  • Network: allows you to assign, configure, move or delete networks.
  • vApp: allows you to create, move, export, ... vApps, add virtual machines, ...
  • and more.

Once you have selected the desired privileges, specify a name and a description (optional) for this new role and click on: Finish.

The new role created appears in the list and the list of privileges selected for it is displayed in the "Privileges" tab of this role.

To see also

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.