Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects


 

1.4h
 
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

A user is an individual authorized to log in to either ESXi or vCenter Server. A group is a set of users that share a common set of rules and permissions. When you assign permissions to a group, all users in the group inherit them, and you do not have to work with the user profiles individually.

In vSphere, the inventory is a collection of virtual and physical objects on which you can place permissions, monitor tasks and events, and set alarms. You can group most inventory objects by using folders to more easily manage them.

All inventory objects, with the exception of hosts, can be renamed to represent their purposes. For example, they can be named after company departments or locations or functions. vCenter Server monitors and manages the following components of your virtual and physical infrastructure: datacenters, clusters, datastores, folders, resource pools, vApps, networks, virtual machines, templates, or hosts.

For ESXi and vCenter Server, permissions are defined as access roles that consist of a user and the user’s assigned role for an object such as a virtual machine or ESXi host. Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

ESXi users fall into two categories: those who can access the host through vCenter Server and those who can access by directly logging in to the host from the vSphere Client, a third-party client, or a command shell.

Authorized users for vCenter Server are those included in the Windows domain list that vCenter Server references or are local Windows users on the vCenter Server host.

You cannot use vCenter Server to manually create, remove, or otherwise change users. You must use the tools for managing your Windows domain. Any changes you make are reflected in vCenter Server. However, the user interface does not provide a user list for you to review.

After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same permissions at one time on multiple objects by moving the objects to a folder and setting the permissions on the folder.
 
 

Assign Permissions
After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects.

Procedure

  1. Select an object and click the Permissions tab.
  2. Right-click the Permissions tab and select Add Permission.
  3. Select a role from the Assigned Role drop-down menu.
    The roles that are assigned to the object appear in the menu. The privileges contained in the role are listed in the section below the role title.
  4. (Optional) Deselect the Propagate to Child Objects check box.
    The role is applied only to the selected object, and does not propagate to the child objects.
  5. Click Add to open the Select Users or Groups dialog box.
  6. Identify the user or group to assign to this role.
    • Select the domain where the user or group is located from the Domain drop-down menu.
    • Type a name in the Search box or select a name from the Name list.
    • Click Add.
      The name is added to either the Users or Groups list.
    • Repeat Step 6a through Step 6c to add additional users or groups.
    • Click OK when finished
  7. Verify that the users and groups are assigned to the appropriate permissions and click OK.
  8. Click OK to finish.
    The server adds the permission to the list of permissions for the object.
    The list of permissions references all users and groups that have roles assigned to the object, and indicates where in the vCenter Server hierarchy the role is assigned.

Modify Permissions
After a user or group and role pair is set for an inventory object, you can change the role paired with the user or group or change the setting of the Propagate check box. You can also remove the permission setting.

Procedure

  1. From the vSphere Client, select an object in the inventory.
  2. Click the Permissions tab.
  3. Click the line item to select the user or group and role pair.
  4. Select Inventory > Permissions > Properties.
  5. Select a role for the user or group from the drop-down menu.
  6. To propagate the privileges to the children of the assigned inventory object, click the Propagate check box and click OK.

Remove Permissions
Removing a permission for a user or group does not remove the user or group from the list of those available. It also does not remove the role from the list of available items. It removes the user or group and role pair from the selected inventory object.

Procedure

  1. From the vSphere Client, click the Inventory button.
  2. Expand the inventory as needed and click the appropriate object.
  3. Click the Permissions tab.
  4. Click the appropriate line item to select the user or group and role pair.
  5. Select Inventory > Permissions > Delete.
    vCenter Server removes the permission setting.
Removing a permission for a user or group does not remove the user or group from the list of those available. It also does not remove the role from the list of available items. It removes the user or group and role pair from the selected inventory object.

When you remove users from vCenter Server, you also remove permissions granted to those users. Modifying a user or group name causes the original name to become invalid.

To remove users from vCenter Server, you must remove them from the domain or Active Directory users list.
If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere environment and cannot log in again.

Users who are logged in and are removed from the domain keep their vSphere permissions until the next validation period. The default is every 24 hours.

Removing a group does not affect the permissions granted individually to the users in that group or permissions granted as part of inclusion in another group.

If you change a user’s name in the domain, the original user name becomes invalid in the vCenter Server system. If you change the name of a group, the original group becomes invalid after you restart the vCenter Server system.
 

References:

  • http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.resmgmt.doc_50/GUID-98BD5A8A-260A-494F-BAAE-74781F5C4B87.html
  • http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_41/esx_server_config/authentication_and_user_management/
    t_view_sort_export_users_groups.html