Today’s VCP6-DCV goal is to talk about – VCP6-DCV Objective 1.1 – Configure and Administer Role-based Access Control. VMware VCP exam is a gold standard of VMware certification exams. VCP exam is the most known VMware exams, even if it’s not the highest technical level.
But it’s most recognized. By a future employer, by industry as a whole. We will cover VCP6-DCV exam certification based on VMware latest VMware VCP6-DCV blueprint. Check VCP6-DCV page for all objectives.
VMware vSphere Knowledge
- Identify common vCenter Server privileges and roles
- Describe how permissions are applied and inherited in vCenter Server
- View/Sort/Export user and group lists
- Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
- Create/Clone/Edit vCenter Server Roles
- Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
- Determine the appropriate set of privileges for common tasks in vCenter Server
Identify common vCenter Server privileges and roles
There are roles and privileges. Role is a collection of privileges assigned to group or a user.
There are certain number of Out-of-the-box (predefined) roles when we look at the vSphere client > roles.
You can keep them, clone them, delete or edit.
Four different types of permissions
Not only vCenter server, like the ones above, but also Local permissions for ESXi. The full list:
- Global Permissions – Global permissions are applied to a global root object that spans solutions. To assign permissions via global root allows to propate them to the other products relying on SSO (vCO, vROPS, vCD..)
- vCenter Server Permissions – Hierarchical model. Permission gives you a certain number of priviledges. Imilar like in Microft’s AD. You Select object > assign role to a group of users > to give them priviledges on that object.
- Group Membership in vSphere.local Groups – The vsphere.local domain includes several predefined groups. Assign users from AD (if you’re using AD) to one of those groups to be able to perform the corresponding actions.
For some services that are not managed by vCenter Server directly, privileges are determined by membership to one of the vCenter Single Sign-On groups. For example, a user who is a member of the Administrator group can manage vCenter Single Sign-On. A user who is a member of the CAAdmins group can manage the VMware Certificate Authority, and a user who is in the LicenseService.Administrators group can manage licenses.
Note: to be able to find the AD groups it’s necessary to add Identity sources via:
Home > Administration > Single Sign-ON > Configuration > Identity sources.
The user [email protected] can perform tasks that are associated with services included with the Platform Services Controller.
- ESXi Local Host Permissions – If you are managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users.
Describe how permissions are applied and inherited in vCenter Server
The global permissions are assigned via web client only (SSO), via Home > Administration > Global permissions.
If you deselect the propagate to children the objects lying down the road won’t be accessible by that particular user/group. (It’s like when you manage NTFS permissions on Windows servers and you uncheck the heritage check box). Permissions are applicable directly and propagated to children by default.
If you click the “View Children” link, it’ll show you the permission of all the childrend which permission will apply to (if “Propagate to children is selected).
- Inheritance of Multiple Permissions – If user is member of more than one group? Then combined privileges within the roles apply. Example below showing user member of both groups.
- Child permissions override Parent permissions – Permissions applied on a child object always override permissions that are applied on a parent object. See examples P. 119 of vSphere Security Guide.
Ex. Role 1 can power on VMs and Role 2 can take snapshots.
Group A is granted Role 1 on VM folder and permissions propagae to child objects
Group B is granted Role 2 on VM B
User 1, who belongs to groups A and B, logs on. Because Role 2 is assigned at a lower point in the hierarchy than Role 1, it overrides Role 1 on VM B. User 1 can power on VM A, but not take snapshots. User 1 can take snapshots of VM B, but not power it on.
- User role overriding group role – if two permissions are defined on the same object.
Permissions are on the same object. One permission is granted to a group, the other to a user which at the same time is member of the group. Role 1 can power VMs Group A is granted Role 1 on VM folder and at the same time User 1 is granted No Access role on VM folder.
User 1, who belongs to group A, logs on. The No Access role granted to User 1 on VM Folder overrides the role assigned to the group. User 1 has no access to VM Folder or VMs A and B.
View/Sort/Export user and group lists
To check Global permissions you have to go an use Web client > Home > Administration > Global permissions.
You can be export to a CSV file or copy to the Clipboard selected or All items. You can also use CTRL+Click to copy to the clipboard.
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
To modify/add permissions you must select an object > Manage > Permissions.
Than you can use the delete, edit or Add icons there…
Create/Clone/Edit vCenter Server Roles
To edit, create or clone vCenter roles it’s necessary to use vSphere Web client > Administration > Roles OR Home > Roles. Default roles are:
- No Access
To clone role click the icon…
vSphere Security Guide (p. 121).
Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies.
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies. P. 122
Determine the appropriate set of privileges for common tasks in vCenter Server
- Common tasks Required Privileges – p.127
- All privileges – p.229
- vSphere Installation and Setup Guide
- vSphere Security Guide
- What’s New in the VMware vSphere® 6.0 Platform
- vSphere Administration with the vSphere Client Guide
- vSphere Client / vSphere Web Client