Create/Clone/Edit vCenter Server Roles


 

1.4i
 

Create/Clone/Edit vCenter Server Roles

The vSphere security model revolves around roles, privileges and permissions. Roles have privileges which define what a role can do, such as create VMs, change ESXi host configurations, make a change to a vApp, etc. A user or a group is then assigned to a role for a specific object, which grants that account permissions on that object.

vCenter Server and ESXi grant access to objects only to users who are assigned permissions for the object. When you assign a user or group permissions for the object, you do so by pairing the user or group with a role. A role is a predefined set of privileges.

A role is a predefined set of privileges. Privileges define individual rights that a user requires to perform actions and read properties.

When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory.

The created on a host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, the roles created directly on the host are available.

Create a Role

VMware recommends that you create roles to suit the access control needs of your environment.

If you create or edit a role on a vCenter Server system that is part of a connected group in Linked Mode, the changes you make are propagated to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across linked vCenter Server systems.

Verify that you are logged in as a user with Administrator privileges.

Procedure

  1. On the vSphere Client Home page, click Roles.
  2. Right-click the Roles tab information panel and click Add.
  3. Type a name for the new role.
  4. Select privileges for the role and click OK.

Clone a Role

You can make a copy of an existing role, rename it, and later edit it. When you make a copy, the new role is not applied to any users or groups and objects. You must assign the role to users or groups and objects.

If you create or modify a role on a vCenter Server system that is part of a connected group in Linked Mode, the changes you make are propagated to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across linked vCenter Server systems.

Verify that you are logged in as a user with Administrator privileges.

Procedure

  1. On the vSphere Client Home page, click Roles.
  2. To select the role to duplicate, click the object in the list of Roles.
  3. To clone the selected role, select Administration > Role > Clone.
A duplicate of the role is added to the list of roles. The name is Copy of rolename.
 
 

Edit a Role

When you edit a role, you can change the privileges selected for that role. When completed, these privileges are applied to any user or group assigned the edited role.

If you create or edit a role on a vCenter Server system that is part of a connected group in Linked Mode, the changes you make are propagated to all other vCenter Server systems in the group. However, assignments of roles to specific users and objects are not shared across linked vCenter Server systems.

Verify that you are logged in as a user with Administrator privileges.

Procedure

  1. On the vSphere Client Home page, click Roles.
  2. Right-click the role to edit and select Edit Role.
  3. Select privileges for the role and click OK.

Changes to permissions and roles take effect immediately, even if the users involved are logged in. The exception is searches, where permission changes take effect after the user has logged out and logged back in.

 

References:

  • http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.vcenterhost.doc_50%2FGUID-3B5AF2B1-C534-4426-B97A-D14019A8010F.html
  • http://infrastructureadventures.com/tag/privileges/
  • http://pubs.vmware.com/vsphere-4-esxi-installable-vcenter/index.jsp?topic=/com.vmware.vsphere.esxi_server_config.doc_41/esx_server_config/authentication_and_user_management/
    t_view_sort_export_users_groups.html