- Compare and contrast propagated and explicit permission assignments
- View/Sort/Export user and group lists
- Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
- Determine how permissions are applied and inherited in vCenter Server
- Create/Clone/Edit vCenter Server Roles
- Configure VMware Directory Service
- Apply a role to a User/Group and to an object or group of objects
- Change permission validation settings
- Determine the appropriate set of privileges for common tasks in vCenter Server
- Compare and contrast default system/sample roles
- Determine the correct permissions needed to integrate vCenter Server with other VMware products
Compare and contrast propagated and explicit permission assignments
Information from VMware vSphere Security document. See section ‘Understanding Authorization in vSphere, page 114.
The primary way of authorizing a user or group in vSphere is the vCenter Server permissions. Depending on the task you want to perform, other permissions might be required.
There are 4 different types of permissions that can be granted.
- vCenter Server Permissions – Permissions to objects in the object hierarchy of that vCenter Server.
- Global Permissions – Permissions assigned to a global rool object that spans solutions (i.e. vCenter Orchestrator). Global permissions are replicated across the vsphere.local domain. But they do not authorize services managed through vsphere.local groups.
- vSphere.local Groups – email@example.com can perform tasks that are associated with services that are included in the PSC.
- ESXi Local Host – Standalone predefined roles can be assigned to users.
View/Sort/Export user and group lists
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
Depending on the permissions we want to apply, we’ll select the object accordingly.
We’ll assign the ‘virtual machine user’ role to an Active directory user to a host in this example.
Select ESX-01, click the ‘manage’ tab, ‘permissions’ tab, plus sign, select the realm we want to use (local, Active Directory).
Determine how permissions are applied and inherited in vCenter Server
Create/Clone/Edit vCenter Server Roles
Configure VMware Directory Service & Add a role to a User/Group and to an object or group of objects
Change Permission Validation Settings
vCenter checks (or validates) the users/groups against the users in the user directory. Similar to what you could call ‘syncing’. If a user is removed from the directory (such as Active Directory), that user will be removed on the next validation.
The interval is set in minutes. To disable validation set the value to ‘0’.
Determine the appropriate set of privileges for common tasks in vCenter Server
Source: vSphere Security Document (Page 127-129)
Compare and contrast default system/sample roles
As previously stated, you can’t modify system roles. You can clone, then modify to your needs. Sample roles can be modified and/or cloned.
Determine the correct permissions needed to integrate vCenter Server with other VMware products
Source: vSphere Security Document (Page 122-123)