VirtualCenter Objects and Permissions
The authorization to perform tasks in VMware Infrastructure is governed by an access control system. This system allows the VirtualCenter administrator — using the Virtual Infrastructure Client — to specify in great detail which users or groups can perform which tasks on which objects. It is defined using three key concepts:
• Privilege — The ability to perform a specific action or read a specific property. Examples include powering on a virtual machine and creating an alarm.
• Role — A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task, such as administer a virtual machine.
• Object — An entity upon which actions are performed. VirtualCenter objects are datacenters, folders, resource pools, clusters, hosts, and virtual machines.
Figure 1 shows the hierarchy of objects you can manage in the Virtual Infrastructure Client.
In addition, VirtualCenter depends upon the users and groups defined in your Active Directory environment or on the local Windows server on which VirtualCenter runs. One key point to note is that an ESX Server host can have its own set of users and groups that is independent of the Active Directory users and groups. If you are using VirtualCenter, you should avoid defining any users on the ESX Server host beyond those that are created by default. This approach provides better manageability, because there is no need to synchronize the two lists if a user or group is added or updated on one of the systems. It also improves security, because it makes it possible for all permissions to be managed in one place. For a full description of the way ESX Server and Virtual Infrastructure Client recognize and manage users and groups, see the sections “Users” and “Groups”
Built-in and Custom Roles
VirtualCenter and ESX Server hosts provide default roles:
• System roles – System roles are permanent and the privileges associated with these roles cannot be changed. The three system roles are: No Access, Read-Only, and Administrator. The latter two also exist in VirtualCenter 1.x
• Sample roles – Sample roles are provided for convenience as guidelines and suggestions. Table 1 lists the sample roles in VirtualCenter 2.x. Note that two of these roles are meant to emulate the roles with the same names in VirtualCenter 1.x
The Administrator role is the most powerful one in VirtualCenter. It essentially allows the user to perform every available action in VirtualCenter. You should grant this role to as few users as possible. The Read-Only role allows the user to view the state and configuration of objects without modifying them. The No Access role prevents a user from seeing any objects. It is equivalent to assigning no role to a user for a particular object. The No Access role is useful in conjunction with other roles to limit their scope, as shown in an example later in this paper.
The built-in roles provide a way to get started with VirtualCenter permissions management. By studying Table 1, then examining the privileges of each role in the VI Client, you can determine which roles are appropriate for the personnel in your environment. Bear in mind that a role must be applied to an object for a specified user or group in order to create a permission. You should decide which object in the inventory hierarchy is the appropriate one to which to apply the role. For example, instead of granting the Virtual Machine Administrator role to someone on individual virtual machines, you can group selected virtual machines in a folder, then apply this role to the folder, with propagation enabled.
Role - equivalent to the role with the same name in VirtualCenter 1.x
User Capabilities- Perform actions on virtual machines only.
Interact with virtual machines, but not change the virtual machine configuration. This includes:
• All privileges for the scheduled tasks privileges group.
• Selected privileges for the global items and virtual machine privileges groups.
• No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Role - Virtual Machine Power User
User Capabilities- Perform actions on the virtual machine and resource objects.
Interact and change most virtual machine configuration settings, take snapshots, and schedule tasks. This includes:
• All privileges for scheduled task privileges group.
• Selected privileges for global items, datastore, and virtual machine privileges groups.
• No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Role- Resource Pool Administrator
User Capabilities- Perform actions on datastores, hosts, virtual machines, resources, and alarms.
Provides resource delegation and is assigned to resource pool inventory objects. This includes:
• All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
• Selected privileges for global items, datastore, resource, and permissions privileges groups.
• No privileges for datacenter, network, host, sessions, or performance privileges groups.
Role- Datacenter Administrator
User Capabilities- Perform actions on global items, folders, datacenters, datastores, hosts, virtual machines, resources, and alarms.
Set up datacenters, but with limited ability to interact with virtual machines. This includes:
• All privileges for folder, datacenter, datastore, network, resource, alarms, and scheduled task privileges groups.
• Selected privileges for global items, host, and virtual machine privileges groups.
• No privileges for session, performance, and permission privileges groups.
Role - Virtual Machine Administrator
(equivalent to the role with the same name in VirtualCenter 1.x)
User Capabilities- Perform actions on global items, folders, datacenters, datastores, hosts, virtual machines, resources, alarms, and sessions. This includes:
• All privileges for all privilege groups, except permissions.
The authorization to perform tasks in VMware Infrastructure is governed by an access control system. This system allows the VirtualCenter administrator — using the Virtual Infrastructure Client — to specify in great detail which users or groups can perform which tasks on which objects. It is defined using three key concepts:
• Privilege — The ability to perform a specific action or read a specific property. Examples include powering on a virtual machine and creating an alarm.
• Role — A collection of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task, such as administer a virtual machine.
• Object — An entity upon which actions are performed. VirtualCenter objects are datacenters, folders, resource pools, clusters, hosts, and virtual machines.
Figure 1 shows the hierarchy of objects you can manage in the Virtual Infrastructure Client.
In addition, VirtualCenter depends upon the users and groups defined in your Active Directory environment or on the local Windows server on which VirtualCenter runs. One key point to note is that an ESX Server host can have its own set of users and groups that is independent of the Active Directory users and groups. If you are using VirtualCenter, you should avoid defining any users on the ESX Server host beyond those that are created by default. This approach provides better manageability, because there is no need to synchronize the two lists if a user or group is added or updated on one of the systems. It also improves security, because it makes it possible for all permissions to be managed in one place. For a full description of the way ESX Server and Virtual Infrastructure Client recognize and manage users and groups, see the sections “Users” and “Groups”
Built-in and Custom Roles
VirtualCenter and ESX Server hosts provide default roles:
• System roles – System roles are permanent and the privileges associated with these roles cannot be changed. The three system roles are: No Access, Read-Only, and Administrator. The latter two also exist in VirtualCenter 1.x
• Sample roles – Sample roles are provided for convenience as guidelines and suggestions. Table 1 lists the sample roles in VirtualCenter 2.x. Note that two of these roles are meant to emulate the roles with the same names in VirtualCenter 1.x
The Administrator role is the most powerful one in VirtualCenter. It essentially allows the user to perform every available action in VirtualCenter. You should grant this role to as few users as possible. The Read-Only role allows the user to view the state and configuration of objects without modifying them. The No Access role prevents a user from seeing any objects. It is equivalent to assigning no role to a user for a particular object. The No Access role is useful in conjunction with other roles to limit their scope, as shown in an example later in this paper.
The built-in roles provide a way to get started with VirtualCenter permissions management. By studying Table 1, then examining the privileges of each role in the VI Client, you can determine which roles are appropriate for the personnel in your environment. Bear in mind that a role must be applied to an object for a specified user or group in order to create a permission. You should decide which object in the inventory hierarchy is the appropriate one to which to apply the role. For example, instead of granting the Virtual Machine Administrator role to someone on individual virtual machines, you can group selected virtual machines in a folder, then apply this role to the folder, with propagation enabled.
Role - equivalent to the role with the same name in VirtualCenter 1.x
User Capabilities- Perform actions on virtual machines only.
Interact with virtual machines, but not change the virtual machine configuration. This includes:
• All privileges for the scheduled tasks privileges group.
• Selected privileges for the global items and virtual machine privileges groups.
• No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Role - Virtual Machine Power User
User Capabilities- Perform actions on the virtual machine and resource objects.
Interact and change most virtual machine configuration settings, take snapshots, and schedule tasks. This includes:
• All privileges for scheduled task privileges group.
• Selected privileges for global items, datastore, and virtual machine privileges groups.
• No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Role- Resource Pool Administrator
User Capabilities- Perform actions on datastores, hosts, virtual machines, resources, and alarms.
Provides resource delegation and is assigned to resource pool inventory objects. This includes:
• All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
• Selected privileges for global items, datastore, resource, and permissions privileges groups.
• No privileges for datacenter, network, host, sessions, or performance privileges groups.
Role- Datacenter Administrator
User Capabilities- Perform actions on global items, folders, datacenters, datastores, hosts, virtual machines, resources, and alarms.
Set up datacenters, but with limited ability to interact with virtual machines. This includes:
• All privileges for folder, datacenter, datastore, network, resource, alarms, and scheduled task privileges groups.
• Selected privileges for global items, host, and virtual machine privileges groups.
• No privileges for session, performance, and permission privileges groups.
Role - Virtual Machine Administrator
(equivalent to the role with the same name in VirtualCenter 1.x)
User Capabilities- Perform actions on global items, folders, datacenters, datastores, hosts, virtual machines, resources, alarms, and sessions. This includes:
• All privileges for all privilege groups, except permissions.
No comments:
Post a Comment