Information Technology Reference
In-Depth Information
Use the Domain drop-down box to show users and groups from Active Directory if
you've coni gured your ESXi host to integrate with Active Directory.
Once you've found the user or group you want, click the Add button, and then click OK.
This returns you to the Assign Permissions dialog box, where the user or group is listed
on the left side.
5.
From the Assigned Role drop-down list, choose the role to which the selected users or
groups should be assigned. In this case, select Operator—the role you dei ned earlier—
from the drop-down list to assign that role to the selected user or group.
What if you have an ESXi host that will host 30 VMs and only 10 of those are the web server
VMs? If you assign the permission at the ESXi host level, as we just demonstrated, then you'll
assign that role to all 30 VMs, not just the 10 web server VMs. This is because when you assign a
permission, an option named Propagate To Child Objects is enabled by default. Figure 8.8 shows
the Assign Permissions dialog box; note the option to propagate permissions in the lower-right
corner of the dialog box.
Figure 8.8
By default, assign-
ing a permission
to an object will
propagate that per-
mission to all child
objects.
This option works like the security inheritance settings in a Windows i lesystem. It allows
the privileges assigned in this role to be applied to objects beneath the selected object. For exam-
ple, if the Operator role is applied as a permission on the ESXi host in the inventory panel and
the Propagate To Child Objects option is enabled, all members of the Operator role will be able
to interact with
all
the VMs hosted on the ESXi host. Although this certainly simplii es access
control implementation, it adds another problem: The permissions of the Operator role have
been overextended and now apply to all VMs and not just the web servers. With access control
granted at the host level, members of the Operator role will be able to change l oppy and CD
media and use the console of the web server VMs, but they will also be able to do that on any
other VM in the inventory.
