1.4l |
A role is a predefined set of privileges.
Privileges define individual rights that a user requires to perform actions and read properties.
When you assign a principal (user or group) permissions, you pair the principal with a role and associate that pairing with an inventory object.
A single user might have different roles for different objects in the inventory.
The roles created on a host are separate from the roles created on a vCenter Server system. When you manage a host using vCenter Server, the roles created through vCenter Server are available. If you connect directly to the host using the vSphere Client, the roles created directly on the host are available.
| Privilege | The right to perform a specific action, e.g. power on a VM, change a configuration value, or create a task |
Role |
A collection of privileges |
Object |
The entity on which roles are applied, e.g. VM, host, folder, cluster, etc |
Principal |
The individual or set of individuals to which privileges or roles are granted |
Permissions |
The application of a role to a user/group for an object |
Task |
Required Privileges |
Applicable Role |
||||||||||||||||||
Create a virtual machine |
On the destination folder or datacenter:
|
Virtual Machine Administrator |
||||||||||||||||||
On the destination host, cluster, or resource pool: |
Virtual Machine Administrator |
|||||||||||||||||||
On the destination datastore or folder containing a datastore: |
Datastore Consumer or Virtual Machine Administrator |
|||||||||||||||||||
On the network that the virtual machine will be assigned to: |
Network Consumer or Virtual Machine Administrator |
|||||||||||||||||||
Deploy a virtual machine from a template |
On the destination folder or datacenter:
|
Virtual Machine Administrator |
||||||||||||||||||
On a template or folder of templates: |
Virtual Machine Administrator |
|||||||||||||||||||
On the destination host, cluster or resource pool: |
Virtual Machine Administrator |
|||||||||||||||||||
On the destination datastore or folder of datastores: |
Datastore Consumer or Virtual Machine Administrator |
|||||||||||||||||||
On the network that the virtual machine will be assigned to: |
Network Consumer or Virtual Machine Administrator |
|||||||||||||||||||
Take a virtual machine snapshot |
On the virtual machine or a folder of virtual machines: |
Virtual Machine Power User or Virtual Machine Administrator |
||||||||||||||||||
On the destination datastore or folder of datastores: |
Datastore Consumer or Virtual Machine Administrator |
|||||||||||||||||||
Move a virtual machine into a resource pool |
On the virtual machine or folder of virtual machines:
|
Virtual Machine Administrator |
||||||||||||||||||
On the destination resource pool: |
Virtual Machine Administrator |
|||||||||||||||||||
Install a guest operating system on a virtual machine |
On the virtual machine or folder of virtual machines:
|
Virtual Machine Power User or Virtual Machine Administrator |
||||||||||||||||||
On a datastore containing the installation media ISO image: |
Virtual Machine Power User or Virtual Machine Administrator |
|||||||||||||||||||
Migrate a virtual machine with vMotion |
On the virtual machine or folder of virtual machines:
|
Datacenter Administrator or Resource Pool Administrator or Virtual Machine Administrator |
||||||||||||||||||
On the destination host, cluster, or resource pool (if different from the source): Resource.Assign Virtual Machine to Resource Pool |
Datacenter Administrator or Resource Pool Administrator or Virtual Machine Administrator |
|||||||||||||||||||
Cold migrate (relocate) a virtual machine |
On the virtual machine or folder of virtual machines:
|
Datacenter Administrator or Resource Pool Administrator or Virtual Machine Administrator |
||||||||||||||||||
On the destination host, cluster, or resource pool (if different from the source): Resource.Assign Virtual Machine to Resource Pool |
Datacenter Administrator or Resource Pool Administrator or Virtual Machine Administrator |
|||||||||||||||||||
On the destination datastore (if different from the source): |
Datastore Consumer or Virtual Machine Administrator |
|||||||||||||||||||
Migrate a Virtual Machine with Storage vMotion |
On the virtual machine or folder of virtual machines: Resource.Migrate |
Datacenter Administrator or Resource Pool Administrator or Virtual Machine Administrator |
||||||||||||||||||
On the destination datastore: Datastore.Allocate Space |
Datastore Consumer or Virtual Machine Administrator |
|||||||||||||||||||
Move a host into a cluster |
On the host: Host.Inventory.Add Host to Cluster |
Datacenter Administrator or Virtual Machine Administrator |
||||||||||||||||||
On the destination cluster:Host.Inventory.Add Host to Cluster |
Datacenter Administrator or Virtual Machine Administrator |
References:
- http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.dcadmin.doc_41/vsp_dc_admin_guide/
managing_users_groups_roles_and_permissions/c_managing_users_groups_roles_and_permissions.html - http://communities.vmware.com/docs/DOC-11409