Understand the basics of VMware vCenter permissions. Also review the different types of permissions and where they are effective (ESXi permissions vs. vCenter).
- View Offline
- [Voiceover] In this video I'll explain how vCenter Roles can be used to manage permissions for vSphere administrators. An organization may have many employees that need the ability to use the vSphere web client. You may need to provide different groups of users with permission sets that fit their needs. vCenter uses roles to define sets of privileges that will be granted to users. There are different ways you can go about creating roles, or you can simply use the roles that are built in by default.
But regardless of how you choose to manage roles, you should always strive to give users the minimum set of privileges that they need to do their job. This is a Security Best practice, and often requires the creation of custom roles. For example, assume you have a 12 year old child. You could give him access to a blowtorch and ask him not to use it, but you'd probably be better off just putting it somewhere that he can't reach it. So let's talk about how we hide the blowtorch from the 12 year old. We can pick and choose what privileges we include in the roles that we create.
Roles define the tasks that users can perform. For example, roles include abilities like allocating data store space, migrating virtual machines, and powering on virtual machines. When we create a role, we'll pick and choose what privileges should be included based on who we plan to assign this role to. These roles are different than roles created on an individual ESXi host. If a user logs directly into a host with the vSphere client, the permissions in vCenter are not applied.
vCenter comes with some handy built in tools that can make role management easier. There are some basic built in roles like administrator, and there's a number of sample roles that we can clone when we need to create a custom role.
Note: This course maps to the Configure and Administer vSphere 6.x Security domain of the VMware Certified Professional 6—Data Center Virtualization (VCP6DCV) exam.
- vCenter built-in and custom roles
- Task permissions
- Global permissions
- Local ESXi permissions and authentication
- Securing virtual machines and switches
- Managing ESXi host services and firewalls
- Using Lockdown mode
- Enabling single sign-on (SSO)