Information Technology Reference
In-Depth Information
When the user is logged on to the vCenter Server computer as Sue Rindlee, the inventory refl ects
only the objects available to her through her permissions. Based on the permission assignment
described, Sue Rindlee will be able to modify all of the VMs in the Production resource pool. h is
validates that Sue's Virtual Machine Power User status through membership in the VM_Admin
group prevails over the Read-Only status obtained through her membership in the VM_Auditors
group.
In this scenario, the eff ective permission is a cumulative permission when a user belongs to mul-
tiple groups with diff erent permissions on the same object. Even if Sue Rindlee belonged to a group
assigned to the No Access vCenter Server role, her Virtual Machine Power User role would prevail.
However, if Sue Rindlee's user account was added directly to a vCenter Server object and assigned
the No Access role, then she would not have access to any of the objects to which that permission
has propagated.
Even w ith a good understanding of permission propagation, you should always proceed w ith caution
and maintain the principle of least privilege to ensure that no user has been extended privileges
beyond those necessary as part of a job role.
When delegating authority, it is always better to err on the side of caution. Do not provide
more permissions than are necessary for the job at hand. Just as in any other information sys-
tems environment, your access-control implementation is a living object that will consistently
require consideration and revision. Manage your permissions carefully, be l exible, and expect
that users and administrators alike are going to be curious and will push their access levels to
the limits. Stay a step ahead, and always remember the principle of least privilege.
We'll conclude the discussion of vCenter Server security with a quick look at vCenter Server
logging.
Examining vCenter Server Logging
As we mentioned in the section “Coni guring ESXi Host Logging,” logging is an important part
of security, as well as an extremely useful tool in troubleshooting. You've seen how to handle
logging for ESXi; now let's take a quick look at vCenter Server logging.
vCenter Server can forward its logs to a centralized VMware-based log server called vCenter
Log Insight. However, this is a separate product and outside the scope of this topic. The vSphere
Web Client does provide a way to view the logs that vCenter Server generates. From the home
screen of the vSphere Web Client, select Log Browser to examine the logs. Figure 8.13 shows this
section of the vSphere Web Client.
This screen allows you to review the vCenter Server logs for additional information on tasks
performed, actions requested, and coni guration changes made.
From this screen, you can also search, i lter, and export the system logs, a task we described
earlier in Chapter 3.
In the next section of this chapter, we'll shift the focus to securing the third and i nal compo-
nent of your vSphere environment: the VMs.
