Access and Authentication Control

Module 9

2011 VMware Inc. All rights reserved

Importance
When multiple users are accessing the VMware vSphere
environment, a best practice is to give each user only the
necessary permissions and nothing more. VMware vCenter
Server allows flexible assignment of permissions.

VMware vSphere: Install, Configure, Manage Revision A

9-3
2011 VMware Inc. All rights reserved

Module Lessons

Lesson 1:

Configure ESXi Host Access and Authentication

Lesson 2:

Configuring Roles and Permissions

VMware vSphere: Install, Configure, Manage Revision A

9-4
2011 VMware Inc. All rights reserved

Lesson 1:
Configure ESXi Host Access and
Authentication

VMware vSphere: Install, Configure, Manage Revision A

9-5
2011 VMware Inc. All rights reserved

Learner Objectives

After this lesson, you should be able to do the following:

Configure the VMware ESXi firewall by enabling and disabling
services

Enable and disable lockdown mode on an ESXi host

Configure user logins to authenticate with directory services

VMware vSphere: Install, Configure, Manage Revision A

9-6
2011 VMware Inc. All rights reserved

Configuring the ESXi Firewall

VMware vSphere: Install, Configure, Manage Revision A

9-7
2011 VMware Inc. All rights reserved

Configuring Security Profile Services

VMware vSphere: Install, Configure, Manage Revision A

9-8
2011 VMware Inc. All rights reserved

Enabling and Disabling Lockdown Mode

VMware vSphere: Install, Configure, Manage Revision A

9-9
2011 VMware Inc. All rights reserved

Integrating ESXi with Active Directory (AD)

VMware vSphere: Install, Configure, Manage Revision A

9-10
2011 VMware Inc. All rights reserved

Review of Learner Objectives

You should be able to do the following:

Configure the ESXi firewall by enabling and disabling services

Enable and disable lockdown mode on an ESXi host

Configure user logins to authenticate with directory services

VMware vSphere: Install, Configure, Manage Revision A

9-12
2011 VMware Inc. All rights reserved

Lesson 2:
Configuring Roles and Permissions

VMware vSphere: Install, Configure, Manage Revision A

9-13
2011 VMware Inc. All rights reserved

Learner Objectives

After this lesson, you should be able to do the following:

Define a permission.

Describe the rules for applying permissions.

Create a custom role.

Create a permission.

VMware vSphere: Install, Configure, Manage Revision A

9-14
2011 VMware Inc. All rights reserved

Access Control Overview

The access control system allows the vCenter Server administrator

to define a users privileges to access objects in the inventory.
Key concepts:

Privilege Defines an
action that can be
performed

Role A set of privileges

Object The target of the
action

User/group Indicates
who can perform the
action
Together, a role, a user or group, and an object define a permission.

VMware vSphere: Install, Configure, Manage Revision A

9-15
2011 VMware Inc. All rights reserved

Users and Groups

vCenter Server or VMware ESX/ESXi users/groups can be local

users or Active Directory domain users.
Active Directory services provides authentication for all local
services:

VMware vSphere Client

Direct console user interface

Technical support mode (local and remote)

Access through the VMware vSphere API
Users who are in the Active Directory group ESX Admins are
automatically assigned the Administrator role.

VMware vSphere: Install, Configure, Manage Revision A

9-16
2011 VMware Inc. All rights reserved

Roles

Roles are collections of

privileges:

They allow users to
perform tasks.

They are grouped in
categories.
Roles include system roles,
sample roles, and custombuilt roles.

VMware vSphere: Install, Configure, Manage Revision A

9-17
2011 VMware Inc. All rights reserved

Objects
Objects are entities on which actions are performed.

Objects include datacenters, folders, resource pools, clusters, hosts,
datastores, networks, and virtual machines.
All objects have a Permissions tab.

This tab shows which user or group and role are associated with the
selected object.

VMware vSphere: Install, Configure, Manage Revision A

9-18
2011 VMware Inc. All rights reserved

Assigning Permissions

To assign a
permission:
1. Select a user.
2. Select a role.
3. (Optional)
Propagate the
permission to
child objects.

VMware vSphere: Install, Configure, Manage Revision A

9-19
2011 VMware Inc. All rights reserved

Viewing Roles and Assignments

The Roles pane shows which users are assigned the selected role
on a particular object.

VMware vSphere: Install, Configure, Manage Revision A

9-20
2011 VMware Inc. All rights reserved

Applying Permissions: Scenario 1

A permission can propagate down the object hierarchy to all
subobjects or it can apply only to an immediate object.

Greg Administrator

Greg No Access

VMware vSphere: Install, Configure, Manage Revision A

9-21
2011 VMware Inc. All rights reserved

Applying Permissions: Scenario 2

When a user is a member of multiple groups with permissions on
the same object:

The user is assigned the union of privileges assigned to the groups
for that object.

Group1 VM_Power_On (custom role)

Group2 Take_Snapshots (custom role)

VMware vSphere: Install, Configure, Manage Revision A

Members of Group1:

Members of Group2:

Greg

Greg

Susan

Carla

9-22
2011 VMware Inc. All rights reserved

Applying Permissions: Scenario 3

When a user is a member of multiple groups with permissions on
different objects:

For each object on which the group has permissions, the same
permissions apply as if they were granted directly to the user.
Group1 Administrator

Group2 Read-only

VMware vSphere: Install, Configure, Manage Revision A

Members of Group1:

Members of Group2:

Greg

Greg

Susan

Carla

9-23
2011 VMware Inc. All rights reserved

Applying Permissions: Scenario 4

Permissions defined explicitly for the user on an object take
precedence over all group permissions on that same object.

Group1 VM_Power_On (custom role)

Group2 Take_Snapshots (custom role)
Greg Read-only

VMware vSphere: Install, Configure, Manage Revision A

Members of Group1:

Members of Group2:

Greg

Greg

Susan

Carla

9-24
2011 VMware Inc. All rights reserved

Creating a Role

Virtual Machine Creator role

Create roles that enable only

the necessary tasks:

Example: Virtual Machine
Creator
Use folders to contain the
scope of permissions:

For example, assign the
Virtual Machine Creator role
to user Nancy and apply it to
the Finance folder.

Datastore > Allocate space

Network > Assign network
Resource > Assign virtual
machine to resource pool
Virtual machine > Inventory >
Create new
Virtual machine > Configuration >
Add new disk
Virtual machine > Configuration >
Add or remove device

VMware vSphere: Install, Configure, Manage Revision A

9-25
2011 VMware Inc. All rights reserved

Lab 14

In this lab, you will manage user access permissions.

1. Configure an ESXi host to use directory services.
2. Use Active Directory accounts to verify proper access to your ESXi
host.
3. Create a custom role in vCenter Server appliance.
4. Assign permissions on vCenter Server inventory objects.
5. Verify permission usability.

VMware vSphere: Install, Configure, Manage Revision A

9-26
2011 VMware Inc. All rights reserved

Review of Learner Objectives

You should be able to do the following:

Define a permission.

Describe the rules for applying permissions.

Create a custom role.

Create a permission.

VMware vSphere: Install, Configure, Manage Revision A

9-27
2011 VMware Inc. All rights reserved

Key Points

A permission is a combination of a user or group and role that is

applied to an object in the inventory.
A permission can propagate down the object hierarchy to all
subobjects or it can apply only to an immediate object.
As a best practice, define a role using the smallest number of
privileges possible for better security and added control.

VMware vSphere: Install, Configure, Manage Revision A

9-28
2011 VMware Inc. All rights reserved