March 6, 2017
VMware vSphere Roles and Permissions
The assigning of VMware vSphere permissions in vCenter is tied to the role a user is paired to. A role is a predefined set of privileges. There are default roles that are already created within vCenter that can be taken advantage of. However, if we want to create a customized predefined set of privileges, we can create our own roles. Let’s take a look at creating roles, assigning a user to that role and then testing out our permissions assignment.
How to create VMware vSphere Role?
To create a role navigate to the Administration section and then click Roles. Here, we can click the green "+" button to start the add role process.
Let’s create a role called TestRole and assign privileges to the role. Here we are assigning most of the "Virtual machine" privileges to the role, but unchecking the "snapshot management" privilege. Click OK.
Now we see our TestRole showing in our list of available Roles.
How to Assign a User to the Role?
How do we pair our role to a user? We assign permissions to a resource. To do that, you can right-click a resource, in this case, a VM, and select Add Permission.
The Add Permission dialog opens where we can Add a user and select a role.
The Select Users/Groups dialog box opens allowing us to choose a user. Notice in the Domain field we have a combo box. We can pull this down and select our recently added Active Directory domain that was added as an identity source.
Now that our domain is selected we can add our desired user. In this case, we choose testuser and click OK.
Now that we have our user selected, we can drop down the Assigned Role combo box and select our TestRole that we created earlier. Notice also the propagate to children checkbox. This needs to be taken into consideration if permissions are added to a higher level object in vCenter. Click OK.
We can now test our user permissions that we have just defined by pairing the role and the user. Let’s login as our testuser account.
Notice how the only VM that is appearing is the VM we assigned the permissions on. Also, notice how the snapshot options are now limited as well.
Assigning VMware vSphere roles and permissions in vCenter is an essential part of administering a vSphere environment where certain users need access to certain resources and need to have their privileges to those resources (vCenter actions, etc) limited. Since Active Directory serves as the identity source for most enterprise environments, it provides a great way to have centralized control over vCenter privileges based on the Active Directory users that are assigned to roles.