NAKIVO Blog

VMware vSphere Roles and Permissions

The assigning of VMware vSphere permissions in vCenter is tied to the role a user is paired to. A role is a predefined set of privileges. There are default roles that are already created within vCenter that can be taken advantage of. However, if we want to create a customized predefined set of privileges, we can create our own roles. Let’s take a look at creating roles, assigning a user to that role and then testing out our permissions assignment.

How to create VMware vSphere Role?

To create a role navigate to the Administration section and then click Roles. Here, we can click the green “+” button to start the add role process.

VMware vSphere Roles and Permissions

Let’s create a role called TestRole and assign privileges to the role. Here we are assigning most of the “Virtual machine” privileges to the role, but unchecking the “snapshot management” privilege. Click OK.

Assigning most of the Virtual machine privileges to role

Now we see our TestRole showing in our list of available Roles.

VMware vSphere Web Client - Roles

How to Assign a User to the Role?

How do we pair our role to a user? We assign permissions to a resource. To do that, you can right-click a resource, in this case, a VM, and select Add Permission.

VMware vSphere Web Client - Add Permission

The Add Permission dialog opens where we can Add a user and select a role.

VMware vSphere Web Client - Add User

The Select Users/Groups dialog box opens allowing us to choose a user. Notice in the Domain field we have a combo box. We can pull this down and select our recently added Active Directory domain that was added as an identity source.

VMware vSphere Web Client - Choose Domain

Now that our domain is selected we can add our desired user. In this case, we choose testuser and click OK.

VMware vSphere Web Client - Select  User

Now that we have our user selected, we can drop down the Assigned Role combo box and select our TestRole that we created earlier. Notice also the propagate to children checkbox. This needs to be taken into consideration if permissions are added to a higher level object in vCenter. Click OK.

VMware vSphere Web Client - Assigned Role

We can now test our user permissions that we have just defined by pairing the role and the user. Let’s login as our testuser account.

VMware vCenter Single Sign-On

Notice how the only VM that is appearing is the VM we assigned the permissions on. Also, notice how the snapshot options are now limited as well.

Check User Permissions

Thoughts

Assigning VMware vSphere roles and permissions in vCenter is an essential part of administering a vSphere environment where certain users need access to certain resources and need to have their privileges to those resources (vCenter actions, etc) limited. Since Active Directory serves as the identity source for most enterprise environments, it provides a great way to have centralized control over vCenter privileges based on the Active Directory users that are assigned to roles.