Q
Problem solve Get help with specific problems with your technologies, process and projects.

How do I assign vSphere permissions for segregated VM control?

Admins can define vSphere roles to manage user access and control over virtualized platforms. So what are some tips to start that process?

There are various options to set up segregated controls of VMs on virtualized platforms. For example, it's fairly...

straightforward to devolve networking control to an enterprise networking team. Admins can assign separate vSphere permissions in each of the vSphere inventory views, granting the network team control of just the port groups and distributed switches in the network view. Similarly, admins can devolve control of data stores to the storage team and specific VMs to application support teams. This process around vSphere permissions is done in two steps.

First, you must define a role, which is a collection of privileges, such as the ability to add a network to an ESXi server. VSphere has hundreds of privileges for different types of objects. There are some built-in roles in vSphere, but you will probably need to create your own role for the network team, maybe called Network Admin. It can be tricky to work out the correct privileges for a role, so perform testing in a nonproduction environment first.

Once you have a role, you need to assign it to a group, based on whichever object it needs to manage. This object can be at any level in the vSphere inventory -- from one data center to the entire vCenter. You can assign roles to Active Directory (AD) groups, then use group memberships in AD to control who gets access. For example, you might grant the AD group HQ Network Administrators the role Network Admin for the data center named HQ. Then, that group can manage any network in that data center, but nothing else. In a similar way, you can allow other teams to manage specific objects like data stores or VMs.

A common security concept -- least amount of privilege -- means that those user roles only include the rights that users actually require, with no additional rights granted. But there's also a lazy approach to security: assign the administrator role to every user for every object. However, this is leads to excessive privileges and may cause users to exceed their authority or manage things they do not understand.

There is another option for the network team. vSphere allows you to install a third-party virtual switch such as the Cisco Nexus 1000v. Once these switches are in place, the network team can use its standard switch management tools to configure and manage the network without direct access to the vSphere side. This segregates network management and allows the networks team to use familiar tools.

The combination of granular privileges in roles and the ability to assign multiple roles on one object for different groups is very powerful. With a bit of care and some custom roles, you can segregate control with vSphere permissions in exactly the way your business policy requires.

Next Steps

For vCenter security, all-access isn't the answer

VM security permissions for in-house IaaS

Don't let SD label alter network permissions perceptions

This was last published in November 2016

Dig Deeper on Virtualization and private cloud

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What tools do you use to manage controls of VMs on your virtualized platforms?
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchServerVirtualization

SearchCloudComputing

Close