Let's look vcenter server permissions Introduction
VCenterserver access control system enables administrators to define user permissions to access objects in the inventory.
Then we make it clear a few concepts:
- Permissions: Permissions for each user to specify the group or a group or a user with privileges to which objects
vCenter server system depends on the permissions assigned to the object model in vSphere permissions. Each authority will provide a set of privileges to a user or group, that is a role for the selected object. Different for each role determines a set of permissions assigned to different users or groups of users
- Privilege: perform specific operations such as the virtual machine, create an alert
- Role: a set of privileges.
- Object: Target to perform an operation. (Data center, folders, resource pools, clusters, hosts, data storage, network and virtual machine)
- Users can group who is going to perform these operations, you can only assign privileges to users authenticated or authenticated: users or groups
For example, you can select a virtual machine object, add a permission, the ReadOnly role granted to a group 1, and add a second authority, the Administrator role is granted to the user 2. By assigning different roles to a group of users on different objects, you can control which tasks users can perform in your vSphere environment.
(Single sign vCenter user authentication must be registered for identifying the source users and groups defined in the authentication vCenter single point using the tool definition identifies the source user and group (e.g. Active Directory) in the default character (e.g. administrator) on the vCenter server is predefined and can not be changed. other roles (such as resource pool administrator) is an example of a pre-defined roles. You can start from scratch to create custom roles can be created by cloning and modification examples roles custom roles)
to add permissions to the directory vCenterserver
- Select an object on the vsphere web client (may be a data center can be a folder, it can be a virtual machine)
- Right-click the add permisions select a user or group permissions for this object to implement, and then give the user or group to assign a role
About the role:
a set of privileges is assigned to a role:
- Roles allow users to perform tasks.
- To simplify the configuration, the characters grouped by category (system roles, role example, custom roles)
• Administrator Role: Administrator role allows the user to view an object and perform all operations on the object.
• No Password Administrator Role: object does not have a user password administrator role to the user with the Administrator role has the same privileges, except for cryptographic operations privilege.
• No Access role: the user has no access to the object role can not view or change the object in any way.
• Read-only roles: read-only character object allows you to view detailed information on the state of the object and the object of the user.
All roles are independent of each other. No hierarchy or inheritance among them
The object is an entity performing operations.
Objects include data centers, folders, resource pools, clusters, hosts, data storage, network and virtual machines. All objects have a permissions tab. Permissions tab displays users or groups and roles associated with the selected object
Application Permissions
- The first scene
Permissions directly applied to an object override inherited permissions
Permissions can propagate along down the object hierarchy to all child objects, it may be applied only direct objects.
In addition to specifying the permissions are propagated downward, but may also be explicitly set by different privilege object to a lower level to cover higher-level permission set. On the slide, Greg user is granted read-only access data in the training center. This role will be propagated to all child objects except Prod03-2 virtual machine. For this virtual machine, Greg is an administrator.
- The second scenario
If a user belongs to multiple groups and groups have different permissions to the same object: users are assigned permissions to multiple groups of the set
when a user is a member of different groups are assigned different roles and then apply on the same subject, All permissions for this object then the user will have these roles
on the slide, Group1 is assigned VM_Power_On role, which is a custom role contains only a privilege: the ability to run on a virtual machine. Group2 was assigned take_snapshot role, which is another custom roles include privileges to create and delete snapshots. Both of these roles are propagated to child objects. Because Greg belong to Group1 and Group2, so he received training in the data center VM_Power_On and take_snapshot privileges for all objects.
- The third scene
Each team has different permissions for each object, as if the user directly on the appropriate permissions, directly on the object and Privilege
Like when a user is a member of multiple groups have different permissions on an object, the same rights (and another group the same rights) apply to this group has permissions for each object, as if they were granted directly to the user.
On the slide, Group1 is allocated in the data center as a training administrator role, Group2 are assigned to read-only role on the virtual machine object Prod03-1. Permissions granted Group1 is propagated to child objects. Because Greg is a member of Group1 and Group2, so in addition to the named Prod03-1 virtual machine (target lower layer), who have administrator privileges on the entire data center training (higher-level objects), and its read-only access.
- The fourth scene
Permissions for the user to explicitly define an object takes precedence over all group permissions on the same object.
On the slide, there are three permissions are assigned to the training data centers: • Group1 is assigned to VM_Power_On role. • Group2 assigned take_snapshot role. • Greg was assigned to read-only role. Because Greg is a member of Group1 and Group2, it is also assumed that all the roles in the dissemination of child objects are enabled. Although Greg is a member of Group1 and Group2, but he has read-only access to all objects in the data center and its training under. Greg get read-only access, because explicit user permissions on objects take precedence over all group permissions on the same subject.
Create a role:
just create the necessary task of supporting roles: for example, a virtual machine creator. Use folders to execute permissions limited scope: for example, virtual machines created role assigned to the user and apply it to financial Nancy folder.
Virtual machines created role is one of many examples that can be created role. As a best practice, use as few privileges define a role, in order to maximize the safety and control of the environment.
In addition, given the role name, made clear that each role allows content to clarify its purpose.
Use folders to contain purview.
For example, to limit the creation of the virtual machine, create a folder in the VMs and Templates inventory view. In this folder for the user to create a virtual machine application role.
