Objective 1.1 – Configure and Administer Role-based Access Control

Posted by on in | 1,809 Views | Leave a response

Objective Topics:

  • Compare and contrast propagated and explicit permission assignments
  • View/Sort/Export user and group lists
  • Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
  • Determine how permissions are applied and inherited in vCenter Server
  • Create/Clone/Edit vCenter Server Roles
  • Configure VMware Directory Service
  • Apply a role to a User/Group and to an object or group of objects
  • Change permission validation settings
  • Determine the appropriate set of privileges for common tasks in vCenter Server
  • Compare and contrast default system/sample roles
  • Determine the correct permissions needed to integrate vCenter Server with other VMware products

Compare and contrast propagated and explicit permission assignments

Information from VMware vSphere Security document. See section ‘Understanding Authorization in vSphere, page 114.

The primary way of authorizing a user or group in vSphere is the vCenter Server permissions. Depending on the task you want to perform, other permissions might be required.

There are 4 different types of permissions that can be granted.

  1. vCenter Server Permissions – Permissions to objects in the object hierarchy of that vCenter Server.
  2. Global Permissions – Permissions assigned to a global rool object that spans solutions (i.e. vCenter Orchestrator). Global permissions are replicated across the vsphere.local domain. But they do not authorize services managed through vsphere.local groups.
  3. vSphere.local Groups – administrator@vsphere.local can perform tasks that are associated with services that are included in the PSC.
  4. ESXi Local Host – Standalone predefined roles can be assigned to users.

View/Sort/Export user and group lists

1

 

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Depending on the permissions we want to apply, we’ll select the object accordingly.

We’ll assign the ‘virtual machine user’ role to an Active directory user to a host in this example.

Select ESX-01, click the ‘manage’ tab, ‘permissions’ tab, plus sign, select the realm we want to use (local, Active Directory).

 

Determine how permissions are applied and inherited in vCenter Server

vsphere_perms1

vsphere_perms2

Source: vSphere Security Document (Page 115-117)

Create/Clone/Edit vCenter Server Roles

roles1

 

Configure VMware Directory Service & Add a role to a User/Group and to an object or group of objects

See Objective 1.3 Post.

Change Permission Validation Settings

vCenter checks (or validates) the users/groups against the users in the user directory. Similar to what you could call ‘syncing’. If a user is removed from the directory (such as Active Directory), that user will be removed on the next validation.

The interval is set in minutes. To disable validation set the value to ‘0’.

user_check1

 

Determine the appropriate set of privileges for common tasks in vCenter Server

privs20

privs21

Source: vSphere Security Document (Page 127-129)

 

Compare and contrast default system/sample roles

As previously stated, you can’t modify system roles. You can clone, then modify to your needs. Sample roles can be modified and/or cloned.

roles22

 

Determine the correct permissions needed to integrate vCenter Server with other VMware products

global_perms1

Source: vSphere Security Document (Page 122-123)

 

 

Questions / Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.