Today we have a large chapter to cover about role-based user management. However, the topic has similar content as for covering VCP6.5-DCV since there hasn't been much changed in that area for vSphere 6.7. In this post, VCP6.7-DCV Objective 7.5 – Configure role-based user management, we'll be detailing vCenter management, roles structure, permissions, etc.
VMware vSphere has predefined roles. A role allows you to assign permission to an object. Administrator, Resource Pool administrator, etc are predefined roles. It is another objective which is a requirement to pass the latest VMware VCP Datacenter Exam called by VMware officially a “VCP-DCV 2019 certification”.
If you are VCP5 or VCP6, you can become certified VCP-DCV 2019 by passing Professional vSphere 6.7 Exam 2019 OR VMware Certified Professional 6.5 – Data Center Virtualization exam, OR VMware Certified Professional 6.5 – Data Center Virtualization Delta exam.
Our “VCP6.7-DCV Study Guide” page based on the official VMware blueprint has 41 Objectives compared to VCP6.5-DCV Study Guide has only 31 Objectives to cover. It means that you need “less effort” to achieve the same certification, the VCP-DCV 2019 certification, if you pass the VMware Certified Professional 6.5 – Data Center Virtualization exam (or the “Delta”).
The VCP-DCV 2019 certification details:
- Based on 2V0-21.19 exam number
- Will have 70 questions
- Duration of 115 minutes.
- Passing score is 300.
Recently VMware changed the rules of re-certification. Our Post: VMware Certification Changes in 2019 has the details. No mandatory recertification after 2 years. Older certification (up to VCP5) can pass the new exam without a mandatory course, only recommended courses are listed). If you're VCP2,3, 4 you need to sit a mandatory class….
Let's get back to our objective.
VCP6.7-DCV Objective 7.5 – Configure role-based user management
vCenter Server Permissions – The permission model for vCenter Server systems basically allows you to assign permissions to objects in the object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select a virtual machine and select Add Permission to assign a role to a group of users in a domain that you select. That role gives those users the corresponding privileges on the VM.
Global Permissions – Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vRealize Orchestrator are installed, you can use global permissions. For example, you can give a group of users Read permissions to all objects in both object hierarchies. Global permissions are replicated across the vsphere.local domain. Global permissions do not provide authorization for services managed through vsphere.local groups.
To check the propagated and explicit permission assignments, we have to connect to our vCenter server > Global Administration. But before doing this, it’s important to know the difference between Permissions and Users and Groups.
- Permissions – each object in the vCenter hierarchy has associated permissions. Each permission
- Privileges – access controls to the resource. You group privileges into roles, which are mapped to users or groups.
- Users and groups – pretty obvious. Only users authenticated through Single Sign-ON (SSO) can be given some privileges. Users must be defined within the SSO or users from external identity sources such as Microsoft AD.
- Roles – what is a role? A role allows you to assign permission to an object. Administrator, Resource Pool administrator, etc are predefined roles. You can clone them or change them (except Administrator).
When you assign permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.
The image below (from vSphere 6.7 Security guide) illustrates the inventory hierarchy and the paths by which permissions can propagate
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
To Add/Modify/Remove permission for a user and group from vCenter inventory you have to Select an object from the inventory > click Permissions TAB > there you can add, edit, and remove permissions.
From the drop-down select the identity source (in our case our Lab.local AD domain)
And then start typing the name of the person…. (my name in my case)…
Inheritance, Parent and Child permissions
- Inheritance of Multiple Permissions – If user is member of more than one group? Then combined privileges within the roles apply. Example below showing user member of both groups.
- Child permissions override Parent permissions – Permissions applied on a child object always override permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.
Ex. Role 1 can power on VMs and Role 2 can take snapshots.
Group A is granted Role 1 on VM folder and permissions propagae to child objects
Group B is granted Role 2 on VM B
User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on.
- User role overriding group role – if two permissions are defined on the same object.
Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is granted No Access role on VM folder.
User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned to the group. User 1 has no access to VM Folder or VMs A and B.
Where possible, assign a role to a group rather than individual users to grant privileges to that group.
Grant permissions only on the objects where they are needed, and assign privileges only to users or groups that must have them.
If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges.
The best is to group objects into folders, (including hosts). Then you can assign permissions to folders containing hosts and other objects.
In most cases, enable propagation when you assign permissions to an object. This ensures that when new objects are inserted into the inventory hierarchy, they inherit permissions.
Tip: To Mask specific areas of the vCenter hierarchy – Use the No Access role to mask specific areas of the hierarchy if you do not want for certain users or groups to have access to the objects in that part of the object hierarchy.
vCenter Server extensions might define additional privileges not even listed in the PDF. Check the vSphere 6.7 security guide.
Permissions defined for a child object always override the permissions that are propagated from parent objects.
Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent data center. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource pool simultaneously.
Create/Clone/Edit vCenter Server Roles
To edit, create or clone vCenter roles it’s necessary to use vSphere Web client > Administration > Roles OR Home > Roles. Default roles are:
- No Access
To clone role click the icon…
- Log in to vCenter Server with the vSphere Web Client.
- Select Home, click Administration and click Roles.
- Select a role, and click the Clone role action icon.
- Type a name for the cloned role.
- Select or deselect privileges for the role and click OK.
When you edit a role, you can change the privileges selected for that role. When completed, these privileges are applied to any user or group that is assigned the edited role.
Apply a role to a User/Group and to an object or group of object
A role is a predefined set of privileges. A role allows you to assign permission to an object. Administrator, Resource Pool administrator, etc are predefined roles. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role allows a user to read and change virtual machine attributes.
You can change the role of a user by going to Global permissions > Select User > Click Edit icon > The user comes preselected > In the drop-down menu choose a different role for the user.
vCenter Server has some system roles and some sample roles you can play with.
- System Roles – System roles are permanent, not editable. You cannot edit the privileges associated with these roles.
- Sample roles – Sample roles are useful because they have been created for frequently performed tasks. Those roles are modifiable, so you are allowed to clone, modify, or remove these roles
vCenter Server systems that use a directory service regularly validate users and groups against the user directory domain. Validation occurs at regular intervals specified in the vCenter Server settings.
Home > Hosts and clusters > Select vCenter server > Configure > Settings> General > Edit and select User directory > Change the values as needed.
- User directory timeout – Timeout interval, in seconds, for connecting to the Active Directory server. This value specifies the maximum amount of time vCenter Server allows a search to run on the selected domain. Searching for large domains can take a long time.
- Query limit – Select the checkbox to set a maximum number of users and groups that vCenter Server displays.
- Query limit size – This is a maximum number of users and groups from the selected domain that vCenter Server displays in the Select Users or Groups dialog box. If you enter 0 (zero), all users and groups appear.
- Validation – Deselect the checkbox to disable validation
- Validation Period – Specifies how often vCenter Server validates permissions, in minutes.
Many tasks require permissions on multiple objects in the inventory. If the user who aĴempts to perform the task only has privileges on one object, the task cannot complete successfully.
Any operation that consumes storage space requires the Datastore.Allocate Space privilege on the target datastore, and the privilege to perform the operation itself. You must have these privileges, for example, when creating a virtual disk or taking a snapshot.
Moving an object in the inventory hierarchy requires appropriate privileges on the object itself, the source parent object (such as a folder or cluster), and the destination parent object.
Each host and cluster has its own implicit resource pool that contains all the resources of that host or cluster. Deploying a virtual machine directly to a host or cluster requires the Resource.Assign Virtual Machine to Resource Pool privilege.
Screenshot directly from the vSphere 6.7 security guide
Compare and contrast default system/sample roles
vCenter Server provides a few default roles. You cannot change the privileges associated with the default roles. The default roles are organized as a hierarchy. Each role inherits the privileges of the previous role.
For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the system roles.
Administrator Role – Users with the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges inherent in the Read Only role. If you are acting in the Administrator role on an object, you can assign privileges to individual users and groups. If you are acting in the Administrator role in vCenter Server, you can assign privileges to users and groups in the default vCenter Single Sign-On identity source. Supported identity services include Windows Active Directory and OpenLDAP 2.4.
By default, the [email protected] user has the Administrator role on both vCenter Single Sign-On and vCenter Server after installation. That user can then associate other users with the Administrator role on vCenter Server.
No Cryptography Administrator Role – Users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.
Where possible, assign a role to a group rather than individual users to grant privileges to that group.
Use caution when adding permission to the root vCenter Server objects. Users with privileges at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings.
Today we covered another topic from Professional vSphere 6.7 Exam 2019. Stay tuned for more.
Don’t forget to check our VCP6.7-DCV Study Guide Page for all chapters for the exam.
More posts from ESX Virtualization:
- How to Patch vCenter Server Appliance (VCSA) – [Guide]
- VCP6.7-DCV Objective 4.2 – Create and configure vSphere objects
- VCP6.5-DCV Objective 1 – Configure and Administer Role-based Access Control
- What is The Difference between VMware vSphere, ESXi and vCenter
- How to Configure VMware High Availability (HA) Cluster
- Upgrading VCSA 6.5 to 6.7
- What is VMware Platform Service Controller (PSC)?
- VMware Certification Changes in 2019