vSphere 6.x Configure and Administer Role-based Access Control

Compare and contrast propagated and explicit permission assignments

Authorization in vSphere:

A user or a group in vSphere is authorized using vCenter Server permissions. A privileged user can assign permissions to another user or group in following ways,

a.      vCenter Server permissions

The permission model of vCenter Server relies on assigning permission to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges that is, a role for a selected object.

b.      Global permissions

Global permissions are applied to global root objects that spans across solutions such as vCenter and Orchestrator. A user can be given permission to access all objects that are present in both object hierarchies.

c.       Group membership in vsphere.local group

The user administrator@vsphere.local can perform tasks that are associated with services included in Platform Service Controller (PSC). Following are the services in PSC,

  • VMware vCenter Single Sign-On
  • VMware License Server
  • Lookup Service
  • Certificate Authority
  • Certificate Store
  • VMware Directory Services

If user is a member of LicenseService.Administrator group the user can perform license management.

d.      ESXi Local host permissions

A user with this permission can manage a standalone ESXi host which is not managed by vCenter Server.

View/Sort/Export user and group lists

In this chapter we discuss some of the basic operation in vSphere Web Client related to users and groups.

To view users and groups present in a vCenter Server click Administration in the left navigation pane present in vSphere Web Client. Once in Administration click Users and Groups present under Single Sign-On. Now the tabs can be used to navigate to see Users, Solution Users and Groups. Click on a Group to see the Group members.

vCenter Web Client allows us to export the list of users and groups present in the inventory. To do that, on a relevant tab such as users or groups click the down pointing arrow located at the bottom right hand corner. Figure 1 illustrates all of this,

Note: The other way to view the users and groups associated with a vCenter Server, we can navigate to vCenter Server in the vCenter Inventory Lists and then by selecting the vCenter Server, number of options will appear in the middle pane. Now click Manage and then click Permissions tab to see the users and groups associated with this vCenter and the role they are associated with.

Figure 1: View, Sort, Export users and groups.
Figure 1: View, Sort, Export users and groups.

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Permissions can be easily added to a user or to a group in vSphere Web Client. In order to do these, again navigate to Administration from the vSphere Web Client main navigation panel called as Navigator. Once in Administration menu select Global Permissions. Click the green + icon to add a user with pre-defined roles. To edit the user permissions click on the user and then click the pencil icon. And to remove the permission select the desired permission and click red X icon.

The following image illustrates group Az is being assigned with a pre-defined role “Administrator”. Note the option “Propagate to children” is checked.

Figure 2: Group Az is assigned a pre-defined role “Administrator”
Figure 2: Group Az is assigned a pre-defined role “Administrator”

Lesion 4: Determine how permissions are applied and inherited in vCenter Server

vCenter Server permission model:

In vSphere, Object is nothing but a category in vCenter or action that can be performed. For Example, a VM folder is considered as an object. In its hierarchical view there can be VM’s, vApp’s, templates. And the vApp can in turn have resource pool and VM in its own hierarchy. Figure 3 is an illustration of object and its child objects in its hierarchy.

Figure 3 Hierarchical view of an Object in vCenter Server
Figure 3: Hierarchical view of an Object in vCenter Server

In vCenter each object is assigned with permissions. The permission is propagated to child objects. It is also possible to prevent it from propagating to child objects. The created permission can be assigned to a user or a group. Following figure 4 and 5 illustrates group, user in a group and the permission assigned to all users in that group.

Figure 4: Az is a group and azhagarasu is a user in that group
Figure 4: Az is a group and azhagarasu is a user in that group
Figure 5: Group Az visible in Administrator role
Figure 5: Group Az visible in Administrator role

Let’s takes some time to understand what is Permissions, Users and Groups, Roles and Privileges.

a.      Permissions

Each object in the vCenter Server hierarchy has associated permissions. A role can be defined with a set of permissions and then a user or group can be assigned that role. Once done the user or users in that group will inherit the permissions defined in the role. The following image illustrates creation of role “Oracle_Dev” with certain permissions.

Figure 6: Role Oracle_Dev creation
Figure 6: Role Oracle_Dev creation
a.      Role

Like the one in above image, a Role is nothing but a collection of permission a normal user would perform. It is then assigned to a user or group. In vCenter Server there are predefined roles, some of them cannot be modified or deleted but can be cloned. The other sample roles can be modified, cloned and deleted.

b.      Users and Groups

Users and groups can be created in vCenter Server and also the Active Directory user and groups can be assigned permission. A user or group can be assigned permissions only after authentication in vCenter Server. Users are authenticated through vCenter single sign-on. The user and group must be defined in the identity source that vCenter single sign-on is using to authenticate.

c.       Privileges

Privileges are fine grained access control. Let’s put that in a simple way, Permissions are grouped into role and role is a collection of permissions. A permission is directly associated with a vCenter object. Privileges are grouped into role and assigned to a user or group. Still confused about permission and privileges? Refer Figure 2 and note what privilege is.

Now the following image from VMware should make much sense.

Figure 7: vSphere Permissions conceptual block diagram
Figure 7: vSphere Permissions conceptual block diagram

Create/Clone/Edit vCenter Server Roles

In the previous lesion we understood what a role is and in this lesion let’s create, clone and edit roles in vCenter Server.

Again to access roles, navigate to Administration from the vSphere Web Client main navigation panel called as Navigator. Once in Administration menu select Roles. The Green + icon can be used to add a new role and the ID badge like icon can be used to clone a role. Pencil icon for editing and red X to remove a role. Following figure illustrates the options available in Roles.

Figure 8: Figure 8 Create Clone Edit vCenter Server Roles
Figure 8: Figure 8 Create Clone Edit vCenter Server Roles

Configure VMware Directory Service

VMware Directory Service (VMDir) is one of the services in Platform Service Controller (PSC). The VMware Directory Service is associated with the domain you specify during installation of vCenter Server and is included in each embedded deployment and on each Platform Service Controller. VMDir replication ensures that vsphere.local domain is identical across all platform service controllers. VMDir is a multi-tenanted, multi-mastered directory service. It makes an LDAP directory available on port 389. The service still uses port 11711 for backward compatibility with vSphere 5.5 and earlier systems.

ESXi host can be joined to domain so that management of users and groups becomes easier rather than having to create local users on the ESXi host. When an ESXi host is added to active directory the domain group called “ESXi Admins” will be given full administrative access if the group exists. There is a workaround available to prevent that from happening if it is not needed.

Procedure to add a host to domain

  1. Browse to the host in the vSphere Web Client inventory
  2. Click the Manage tab and click Settings
  3. Under System, select Authentication Services
  4. Click Join Domain.
  5. Enter a domain.
  6. Enter the user name and password of a directory service user who has permissions to join the host to the domain, and click OK.
  7. (Optional) If you intend to use an authentication proxy, enter the proxy server IP address.
  8. Click OK to close the Directory Services Configuration dialog box
Figure 9: Joining ESXi host to a domain
Figure 9: Joining ESXi host to a domain

Apply a role to a User/Group and to an object or group of objects

This particular topic is already discussed in previous topic “Determine how permissions are applied and inherited in vCenter Server”.

Change Permission Validation Setting

vCenter Server periodically validates users and groups against the users and groups in active directory. If for some reason the user and group is not available in the directory vCenter Server then removes it from its list. This validation process can be disabled or the search interval can be adjusted according to the needs.

Note: This validation only applied to vCenter users and group list and not the ones present in the ESXi host itself.

Procedure to change validation settings

  1. Browse to the vCenter Server system in the vSphere Web Client object navigator.
  2. Select the Manage tab and click Settings.
  3. Click General and click Edit
  4. Select User directory.
Figure 10: Change validation settings
Figure 10: Change validation settings

The User Directory timeout value dictates, how long a vCenter Server is allowed to run search on the domain. This value is in seconds. Larger domains requires more time. Query limit and Query limit size are closely related to each other. When the Query limit check box is checked, it means the value entered in Query limit size is accepted. This value dictates how many numbers of users and groups are displayed in “Select Users and Groups” dialog box. Setting this value to 0 will show all users and groups from domain.

Determine the appropriate set of privileges for common tasks in vCenter Server

For us to a task in vCenter such as moving a Virtual machine from one folder to another requires permissions on more than one object in the inventory. In this chapter we discuss some of the common tasks that typically an administrator will perform in vCenter and permissions required for such tasks. Earlier we discussed, predefined roles can be assigned to users or groups. Also we discussed on how to define custom roles as well.

Example 1: Move a virtual machine into a resource pool

Following privileges required to perform this action,

  • On the virtual machine or the folder of virtual machine
    • Assign virtual machine to resource pool
    • Virtual machine.Inventory.Move
  • On the destination resource pool
    • Assign virtual machine to resource pool

The above described task is typically performed by Administrator.

Example2: Install a guest operating system on a virtual machine

To install a operating system on virtual machine the following privileges are required,

  • On the virtual machine or folder of virtual machines
    • Virtual machine.Interaction.Answer question
    • Virtual machine.Interaction.Console interaction
    • Virtual machine.Interaction.Device connection
    • Virtual machine.Interaction.Power Off
    • Virtual machine.Interaction.Power On
    • Virtual machine.Interaction.Reset
    • Virtual machine.Interaction.Configure CD media (if installing from a CD)
    • Virtual machine.Interaction.Configure floppy media (if installing from a floppy disk)
    • Virtual machine.Interaction.VMware Tools install
  • On a datastore containing the installation media ISO image
    • Browse datastore (if installing from an ISO image on a datastore)
  • On the datastore to which you upload the installation media ISO image
    • Browse datastore
    • Low level file operations

For every other task that a user performs in vCenter, similar privileges are required. For further reading on this topic refer to vCenter Server security guide.

Compare and contrast default system/sample roles

Earlier we discussed what roles, permissions and privileges are. In vCenter Server by default there are predefined roles, some of these cannot be modified or deleted but can be cloned (default roles). The other sample roles can be modified, cloned and deleted.

Following are the default roles,

a.      Administrator Role

This role includes all privileges and users with this role can perform all actions on the objects. A user with administrator role can assign privileges to other users and groups. By default administrator@vsphere.local user has Administrator role on both vCenter Single Sign-On and vCenter Server after installation.

b.      No Access Role

Users with this role cannot view of change the object. New users and groups are assigned this role by default, it can then be changed.

c.       Read Only Role

Users with this role are allowed to view the state of object and details about object. This user cannot modify anything in the inventory but can view virtual machines, hosts, resource pool and cannot view the remote console of a virtual machine. All the other actions are disallowed.

Determine the correct permissions needed to integrate vCenter Server with other VMware products

To be able to integrate same authentication with other VMware products such as vCenter Orchestrator, we must use Global Permissions. Global permission is applied to global root object that spans across solutions.

Leave a Reply

Your email address will not be published. Required fields are marked *