© 2010 VMware Inc. All rights reserved Access Control Module 8

Module 8-2 © 2010 VMware Inc. All rights reserved You Are Here vSphere Environment Introduction to VMware Virtualization VMware ESX and ESXi VMware vCenter Server Networking Storage Virtual Machines Operations Resource Monitoring Data Protection Scalability High Availability Patch Management Installing VMware ESX and ESXi VMware vSphere 4.1: Install, Configure, Manage – Revision A Access Control

Module 8-3 © 2010 VMware Inc. All rights reserved Importance  When multiple users are accessing the VMware vSphere™ environment, a best practice is to give each user only the necessary permissions and nothing more. VMware vCenter™ Server allows flexible assignment of permissions. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-4 © 2010 VMware Inc. All rights reserved Module Objectives  Define a permission  Describe the rules for applying permissions  Create a custom role  Create a permission VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-5 © 2010 VMware Inc. All rights reserved Access Control Overview The access control system allows the vCenter Server administrator to define a user’s privileges to access objects in the inventory. Key concepts:  Privilege – Defines an action that can be performed  Role – A set of privileges  Object – The target of the action  User/group – Indicates who can perform the action Together, a role, a user or group, and an object define a permission. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-6 © 2010 VMware Inc. All rights reserved Users and Groups vCenter Server or VMware® ESX™/ESXi users/groups can be local users or Active Directory domain users. Active Directory services provides authentication for all local services:  VMware vSphere™ Client  Direct console user interface  Technical support mode (local and remote)  Access through the vSphere API Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-7 © 2010 VMware Inc. All rights reserved Roles Roles are collections of privileges:  They allow users to perform tasks.  They are grouped in categories. Roles include system roles, sample roles, and custom- built roles. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-8 © 2010 VMware Inc. All rights reserved Objects Objects are entities on which actions are performed.  Objects include datacenters, folders, resource pools, clusters, hosts, datastores, networks, and virtual machines. All objects have a Permissions tab.  This tab shows which user or group and role are associated with the selected object. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-9 © 2010 VMware Inc. All rights reserved Assigning Permissions To assign a permission: 1. Select a user. 2. Select a role. 3. (Optional) Propagate the permission to child objects. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-10 © 2010 VMware Inc. All rights reserved Viewing Roles and Assignments The Roles pane shows which users are assigned the selected role on a particular object. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-11 © 2010 VMware Inc. All rights reserved Applying Permissions: Scenario 1 A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object. Greg – Administrator Greg – No Access VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-12 © 2010 VMware Inc. All rights reserved Applying Permissions: Scenario 2 When a user is a member of multiple groups with permissions on the same object:  The user is assigned the union of privileges assigned to the groups for that object. Group1 – VM_Power_On (custom role) Group2 – Take_Snapshots (custom role) Members of Group1: Greg Susan Members of Group2: Greg Carla VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-13 © 2010 VMware Inc. All rights reserved Applying Permissions: Scenario 3 When a user is a member of multiple groups with permissions on different objects:  For each object on which the group has permissions, the same permissions apply as if they were granted directly to the user. Group1 – Administrator Group2 – Read-only Members of Group1: Greg Susan Members of Group2: Greg Carla VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-14 © 2010 VMware Inc. All rights reserved Applying Permissions: Scenario 4 Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object. Group1 – VM_Power_On (custom role) Group2 – Take_Snapshots (custom role) Greg – Read-only Members of Group1: Greg Susan Members of Group2: Greg Carla VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-15 © 2010 VMware Inc. All rights reserved Creating a Role Create roles that enable only the necessary tasks:  Example: Virtual Machine Creator Use folders to contain the scope of permissions:  For example, assign the Virtual Machine Creator role to user Nancy and apply it to the Finance folder. Virtual Machine Creator role Datastore > Allocate space Network > Assign network Resource > Assign virtual machine to resource pool Virtual machine > Inventory > Create new Virtual machine > Configuration > Add new disk Virtual machine > Configuration > Add or remove device VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-16 © 2010 VMware Inc. All rights reserved Lab 13 In this lab, you will manage user access permissions. 1. Configure an ESXi host to use directory services. 2. Use Active Directory accounts to verify proper access to your ESXi host. 3. Create a custom role in vCenter Server. 4. Assign permissions on vCenter Server inventory objects. 5. Verify permission usability. VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-17 © 2010 VMware Inc. All rights reserved Module Summary  Define a permission  Describe the rules for applying permissions  Create a custom role  Create a permission VMware vSphere 4.1: Install, Configure, Manage – Revision A

Module 8-18 © 2010 VMware Inc. All rights reserved Key Points  A permission is a combination of a user or group and role that is applied to an object in the inventory.  A permission can propagate down the object hierarchy to all subobjects or it can apply only to an immediate object.  As a best practice, define a role using the smallest number of privileges possible for better security and added control. VMware vSphere 4.1: Install, Configure, Manage – Revision A