Information Technology Reference
In-Depth Information
to customize them. Once you clone one of the built-in roles, you can customize the privileges
assigned to that role to meet your specii c needs.
The key to using these roles effectively is to understand the functions of each:
No Access
This role is just what it sounds likeāit prevents a user or group from gaining
access. But why do you need it? The idea behind this role is to prevent a user or group that has
permissions at some point higher in the hierarchy from having permissions on the object to
which this role is assigned. For instance, you may have granted Eileen the Virtual Machine
User role at the datacenter level, which would allow her to administer all of the VMs in the
datacenter, but there is a security concern about her having access to one of the accounting
VMs in that datacenter. You could assign Eileen to the No Access role on the Accounting VM,
which would effectively supersede her Virtual Machine User privileges.
Read-Only
Read-Only allows users to see the vCenter Server inventory. It does not allow
them to interact with any of the VMs in any way through the vSphere Client or the web client
except to see the power status of each VM in the inventory where they have the Read-Only
role applied.
Administrator
A user assigned to an object with the Administrator role will have full
administrative capabilities over that object in vCenter Server. Note that this does
not
grant
any
privileges within the guest OSes installed inside the VMs. For instance, a user assigned
the Administrator role for a VM may be able to change the RAM assigned to the VM and
alter its performance parameters (Shares, Reservations, and Limits) but may not even have
the permissions to log into that VM unless they have been granted that right from within the
guest OS.
The Administrator role can be granted at any object level in the hierarchy, and the user or
group that is assigned the role at that level will have vCenter Server administrative privileges
over that object and (if the inheritance box is selected) any child objects in the hierarchy.
Aside from the No Access, Read-Only, and Administrator roles, the rest of the roles are sam-
ple roles. These are intended to provide vSphere administrators with an idea of how to organize
roles and permissions to model the appropriate administrative structure.
Virtual Machine Power User (Sample)
The Virtual Machine Power User sample role
assigns permissions to allow a user to perform most functions on VMs. This includes tasks
such as coni guring CD and l oppy media, changing the power state, taking and deleting
snapshots, and modifying the coni guration. These permissions apply only to VMs. The idea
here is, as an example, if users are granted this role at a datacenter level, they would be able
to manage only VMs in that datacenter and would not be able to change settings on objects
such as resource pools in that datacenter.
Virtual Machine User (Sample)
The Virtual Machine User sample role grants the user the
ability to interact with a VM but not the ability to change its coni guration. Users can oper-
ate the VM's power controls and change the media in the virtual CD-ROM drive or l oppy
drive as long as they also have access to the media they want to change. For instance, a user
who is assigned this role for a VM will be able to change the CD media from an ISO image
on a shared storage volume to their own client system's physical CD-ROM drive. If you want
them to be able to change from one ISO i le to another (both stored on a Virtual Machine
File System [VMFS] volume or Network File System [NFS] volume), they will also need to be
