Information Technology Reference
In-Depth Information
Managing vCenter Server Permissions
The security model for vCenter Server is identical to that explained in the previous section for
an ESXi host: Take a user or group and assign them to a role (which has one or more privileges
assigned) for a specii c inventory object. The key difference is that vCenter Server enables new
objects in the inventory hierarchy that aren't possible with individual ESXi hosts. This would
include objects like clusters and folders (both of which we discussed in Chapter 3). vCenter
Server also supports resource pools (which we introduced in the section “Using Resource Pools
to Assign Permissions” and which we'll discuss in greater detail in Chapter 11). vCenter Server
also allows you to assign permissions in different ways; for example, an ESXi host has only one
inventory view, while vCenter Server has the Hosts And Clusters view, VMs And Templates
view, Storage view, and Networking view. Permissions—the assignment of a role to one or more
inventory objects—can occur in any of these views.
As you can see, this means that vCenter Server allows vSphere administrators to create much
more complex permissions hierarchies than you could create using only ESXi hosts.
Recall that a key part of the security model is the role—the grouping of privileges that you
assign to a user or group in a permission. Let's take a closer look at the predei ned roles that
come with vCenter Server.
Reviewing vCenter Server's Roles
Where the ESXi host is quite limited in its default roles, vCenter Server provides more, thereby
offering a much greater degree of l exibility in constructing access control. Although both secu-
rity models offer the l exibility of creating custom roles, ESXi includes three default roles, while
vCenter Server provides nine, including the same three offered in ESXi. Figure 8.12 details the
default vCenter Server roles. These roles are visible from within the vSphere Web Client by
selecting Home
Roles.
Figure 8.12
h e vCenter Server
default roles off er
much more fl ex-
ibility than an indi-
vidual ESXi host
off ers.
As you can see, VMware provides a large number of roles in a default vCenter Server instal-
lation. Remember, just as with the default ESXi roles, vCenter Server will prevent you from
modifying the No Access, Read-Only, and Administrator roles—you must clone them in order
 
Search WWH ::




Custom Search