kantver - Fotolia

How do I assign vSphere permissions for segregated VM control?

Admins can define vSphere roles to manage user access and control over virtualized platforms. So what are some tips to start that process?

There are various options to set up segregated controls of VMs on virtualized platforms. For example, it's fairly straightforward to devolve networking control to an enterprise networking team. Admins can assign separate vSphere permissions in each of the vSphere inventory views, granting the network team control of just the port groups and distributed switches in the network view. Similarly, admins can devolve control of data stores to the storage team and specific VMs to application support teams. This process around vSphere permissions is done in two steps.

First, you must define a role, which is a collection of privileges, such as the ability to add a network to an ESXi server. VSphere has hundreds of privileges for different types of objects. There are some built-in roles in vSphere, but you will probably need to create your own role for the network team, maybe called Network Admin. It can be tricky to work out the correct privileges for a role, so perform testing in a nonproduction environment first.

Once you have a role, you need to assign it to a group, based on whichever object it needs to manage. This object can be at any level in the vSphere inventory -- from one data center to the entire vCenter. You can assign roles to Active Directory (AD) groups, then use group memberships in AD to control who gets access. For example, you might grant the AD group HQ Network Administrators the role Network Admin for the data center named HQ. Then, that group can manage any network in that data center, but nothing else. In a similar way, you can allow other teams to manage specific objects like data stores or VMs.

A common security concept -- least amount of privilege -- means that those user roles only include the rights that users actually require, with no additional rights granted. But there's also a lazy approach to security: assign the administrator role to every user for every object. However, this is leads to excessive privileges and may cause users to exceed their authority or manage things they do not understand.

There is another option for the network team. vSphere allows you to install a third-party virtual switch such as the Cisco Nexus 1000v. Once these switches are in place, the network team can use its standard switch management tools to configure and manage the network without direct access to the vSphere side. This segregates network management and allows the networks team to use familiar tools.

The combination of granular privileges in roles and the ability to assign multiple roles on one object for different groups is very powerful. With a bit of care and some custom roles, you can segregate control with vSphere permissions in exactly the way your business policy requires.

Next Steps

For vCenter security, all-access isn't the answer

VM security permissions for in-house IaaS

Don't let SD label alter network permissions perceptions

Dig Deeper on Virtualization and private cloud