Today we'll cover another objective towards VCP-DCV 2019 Certification. We have started to work on a new Study Guide that we call VCP6.7-DCV Study Guide. Today's post is about VCP6.7-DCV Objective 7.12 – Setup permissions on datastores, clusters, vCenter, and hosts. An interesting chapter, important to know how to restrict and protect vCenter assets.
We won’t be able to cover everything in a single post – make sure to read the PDF documentation to know everything inside out for the exam. The VMware Exam blueprint has 41 chapters (Objectives). VCP-DCV 2019 certification is the latest certification based on vSphere 6.7.
In case you don't know, VMware changed the rules of re-certification recently. Our Post: VMware Certification Changes in 2019 has the details. No mandatory recertification after 2 years. Older certification holders (up to VCP5) can pass the new exam without a mandatory course, only recommended courses are listed).
The VCP-DCV 2019 certification will be based on 2V0-21.19 exam number and it will have 70 questions with a duration of 115 minutes. The passing score is 300. Nothing really new for those who are not new to VMware certification process.
To become VCP-DCV 2019 certified you have 3 different choices of exam:
- Professional vSphere 6.7 Exam 2019
- VMware Certified Professional 6.5 – Data Center Virtualization exam (our VCP6.5-DCV Study Guide Page which is complete)
- VMware Certified Professional 6.5 – Data Center Virtualization Delta exam
Note: You must be VCP5, or VCP6. If, not, you must “sit” a class and you have no “Delta” exam option.
The current exam blueprint: (Original PDF Online at VMware is here 2V0-21.19).
The certification’s name is “The VCP-DCV 2019 certification“. It is a new certification for 2019 focusing on installation, configuration, and management of VMware vSphere 6.7.
VCP6.7-DCV Objective 7.12 – Setup permissions on datastores, clusters, vCenter, and hosts
Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object.
Privileges are fine-grained access controls. You can group those privileges into roles, which you can then map to users or groups.
The permission model for vCenter Server systems basically allows you to assign permissions to objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select a virtual machine and select Add Permission to assign a role to a group of users in a domain that you select. That role gives those users the corresponding privileges on the VM.
After assigning permission to an object, on the same page you can check the box to propagate permissions down the object hierarchy. You have to set the propagation for each permission. (or not).
Permissions defined for a child object always override the permissions that are propagated from parent objects.
Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.
Differences between permissions, privileges, users and groups and roles.
- Permissions – each object in the vCenter hierarchy has associated permissions. Each permission
- Privileges – access controls to the resource. You group privileges into roles, which are mapped to users or groups.
- Users and groups – pretty obvious. Only users authenticated through Single Sign-ON (SSO) can be given some privileges. Users must be defined within the SSO or users from external identity sources such as Microsoft AD.
- Roles – what is a role? A role allows you to assign permission to an object. Administrator, Resource Pool administrator, etc are predefined roles. You can clone them or change them (except Administrator).
When you assign permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.
Datastore privileges control the ability to browse, manage, and allocate space on datastores. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.
Folder privileges control the ability to create and manage folders. You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.
Add Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.
Browse to the object for which you want to assign permissions in the vSphere Client object navigator. Click the Permissions tab > Click the Add Permission icon > Select the user or group that will have the privileges defined by the selected role.
From the User drop-down menu, select the domain for the user or group. Type a name in the Search box. The system searches user names and group names > Select the user or group > Select a role from the Role drop-down menu.
(Optional) To propagate the permissions, select the Propagate to children check box. The role is applied to the selected object and propagates to the child objects. Click OK to add the permission.
So here is an example of the whole process. For example, you want to assign a role to a datastore object.
First go to vSphere Client > Administration > Roles > Create a role > chose from the categories of privileges you want to create a role.
Then select the object where you want to assign permissions by selecting the role.
Chose the domain at the first drop-down menu. Start typing a name of group (in my case I have created a group called datastore admin in my Microsoft active directory (AD) first, and then added some users to this group). It populates automatically.
And then pick the role via the drop-down menu.
Check also Required Privileges for Common Tasks
More to read in VMware vSphere 6.7 documentation
Don’t forget to check our VCP6.7-DCV Study Guide Page for all chapters for the exam.
More posts from ESX Virtualization:
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- VCP6.7-DCV Objective 4.2 – Create and configure vSphere objects
- VCP6.5-DCV Objective 1 – Configure and Administer Role-based Access Control
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
- Upgrading VCSA 6.5 to 6.7
- What is VMware Platform Service Controller (PSC)?
- VMware Certification Changes in 2019