Information Technology Reference
In-Depth Information
users the ability to perform seemingly simple tasks within vCenter Server. Let's review a couple
of examples of how privileges, roles, and permissions combine in vCenter Server.
Delegating the Ability to Create Virtual Machines and Install
a Guest OS
One common access control delegation in a virtual infrastructure is to give a group of users (for
example, a prov isioning or deploy ment team) the rights to create VMs. A fter just browsing through
the list of available privileges, it might seem simple to accomplish this. It is, however, more complex
than meets the eye. Providing a user with the ability to create a VM involves assigning a combina-
tion of privileges at multiple levels throughout the vCenter Server inventory.
Combining Privileges, Roles, and Permissions in vCenter Server
So far, we've shown you all the pieces you need to know in order to structure vCenter Server
to support your company's management and operational requirements. How these pieces i t
together, though, can sometimes be more complex than you might expect. In the next few para-
graphs, we will walk you through an example.
Here's the scenario: Within your IT department, one group handles building all Windows
servers. Once the servers are built, operational control of the servers is handed off to a separate
group. Now that you have virtualized your datacenter, this same separation of duties needs to
be re-created within vCenter Server. Sounds simple, right? You just need to coni gure vCenter
Server so that this group has the ability to create VMs. This group is represented within Active
Directory with a group object (this Active Directory group is named IT-Provisioning), and you'd
like to leverage the Active Directory group membership to control who is granted these permis-
sions within vCenter Server.
In the following steps, we've deliberately kept some of the items at a high level. For example,
we don't go into how to create a role or how to assign that role to an inventory object as a per-
mission because those tasks are covered elsewhere in this chapter.
Perform the following steps to allow a Windows-based group to create VMs:
1. Use the vSphere Web Client to connect to a vCenter Server instance. Log in with a user
account that has been assigned the Administrator role within vCenter Server.
2. On the Home screen, click on the Roles icon.
3. Create a new role called VMCreator .
4. Assign the following privileges to the VMCreator role:
Datastore
Allocate Space
Virtual Machine
Inventory
Create New
Virtual Machine
Coni guration
Add New Disk
Virtual Machine
Coni guration
Add Existing Disk
Search WWH ::




Custom Search