How to manage Roles and Permissions in vSphere 6.X environement.
In a VMware vSphere environment, you might want to give certain permissions to users or administrators, who are not a part of the vSphere administrator’s team, to perform specific tasks. For example, you might want to give the administrators of a server the permission to power on and off the server. You don’t want to give these administrators all of the privileges in your environment because then you will lose control over it. There are many privileges you can give to somebody, and you probably want to give only a few. If you assigned privileges to users directly, it would be hard to see who has which privileges.
To begin, you will need to open a PowerCLI and connect to a vCenter server. You will take our folder structure and assign groups of users
from Active Directory to access these resources using predefined roles in VMware vsphere. This assumes that
you have properly configured your
VMware SSO to allow
Active Directory authentication.
You will take an Active Directory group called
IT Admins and delegate access to the entire Primary datacenter. You will take the
Developers group and delegate the operator access to them for the
Developpement folder in vCenter.
1. Predefined Roles
1.1 List predefined roles
Get-VIRole | Select Name, Description
PS C:\Users\JM2K69> Get-VIRole | Select Name, Description Name Description ---- ----------- NoCryptoAdmin Full access without Cryptographic operations privileges NoAccess Used for restricting granted access Anonymous Not logged-in user (cannot be granted) View Visibility access (cannot be granted) ReadOnly See details of objects, but not make changes Admin Full access rights VirtualMachinePowerUser Provides virtual machine interaction and configuration permissions VirtualMachineUser Provides virtual machine interaction permissions ResourcePoolAdministrator Supports delegated resource management VMwareConsolidatedBackupUser Used by the Consolidated Backup utility DatastoreConsumer Assigned to datastores to allow creating disks or snapshots NetworkConsumer Assigned to networks to allow association of virtual machines or hosts with networks VirtualMachineConsoleUser Provides virtual machine console interaction permissions. This role is required for VMRC sessions. Exercise... AutoUpdateUser AutoUpdateUser InventoryService.Tagging.TaggingAdmin InventoryService.Tagging.TaggingAdmin com.vmware.Content.Admin Provides full access to Content Library service
This command list all predefined role in your VMware vSphere Infrastructure.
1.2 Assigned Role to an Active Directory Group
To do this, you will use the
New-VIPermission cmdlet. This cmdlet
requires an Entity where the permission will be applied, a Principal who represents the user or group and the desired role. For the first cmdlet, you will grant the `Admin role on the Root datacenter to our IT Admin group, which has the principal name JM2K69\IT Admin:
New-VIPermission -Entity (Get-Datacenter "Datacenter") -Principal "JM2K69\IT Admins" -Role Admin
1.3 Assigned permission for Developpers Group
Using the same format for another
New-VIPermission cmdlet, you can now grant our Developers group the operator status as
Developpement folder. You will use the Get-Folder cmdlet to set our entity (or location):
New-VIPermission -Entity (Get-Folder "Developpement") -Principal "JM2K69\Developers" -Role VirtualMachineUser
All permissions are grouped by roles. With PowerCli you can list permissions by group.
Get-VIPrivilege | select -Property ParentGroup -Unique
The output of the preceding command is too long
2 Create a custom role
In your vSphere web Client or Html5 web client you can create custom role in the view =>Administration=>Contrôles d’accès=>Rôles
Then you create a new role and you can add permission by Category and by object type.
For the Object type Virtual Machine you have multiple subcategory for the object how to find them with powercli in order to create your custom role.
2.1 Cmdlet Get-VIPrivilege
Get-VIPrivilege offers the possibility to list them.
PS C:\Users\JM2K69> Get-VIPrivilege Name Description Server ---- ----------- ------ Anonymous The only privilege held by sessions which have ... 192.168.0.115 View Visibility without read access to an entity. Th... 192.168.0.115 Read Grants read access to an entity 192.168.0.115 Manage custom attributes Add, remove, and rename custom attribute defini... 192.168.0.115 Set custom attribute Set the value of a custom attribute on an object 192.168.0.115 Log event Log a user-defined event on an object 192.168.0.115 Cancel task Cancel a running task 192.168.0.115 Licenses Manage licenses 192.168.0.115 Diagnostics Export diagnostic data 192.168.0.115 Settings Edit global settings 192.168.0.115 Act as vCenter Server Act as the vCenter Server 192.168.0.115 Capacity planning Discover and convert physical host to virtual m... 192.168.0.115 Script action Schedule an external script action 192.168.0.115 Proxy Add or remove endpoints to or from the proxy 192.168.0.115 Disable methods Operations are disabled in vCenter 192.168.0.115 Enable methods Operations are enabled in vCenter 192.168.0.115 Service managers Access the directory service 192.168.0.115 Health Access the health of vCenter group 192.168.0.115 System tag Add or remove system tag 192.168.0.115 Global tag Add or remove global tag 192.168.0.115 Create folder Create folder 192.168.0.115 Delete folder Delete folder 192.168.0.115 Rename folder Rename folder 192.168.0.115 Move folder Move folder 192.168.0.115 Create datacenter Create a datacenter 192.168.0.115 Remove datacenter Remove a datacenter 192.168.0.115 Rename datacenter Rename a datacenter 192.168.0.115 Move datacenter Move a datacenter 192.168.0.115 Network protocol profile configu... Configure a network protocol profile on a datac... 192.168.0.115 Release IP allocation Release IP allocation on a network protocol pro... 192.168.0.115 Query IP pool allocation Query IP pool allocation on a network protocol ... 192.168.0.115 Reconfigure datacenter Reconfigure a datacenter 192.168.0.115 Rename datastore Rename a datastore 192.168.0.115 Move datastore Move a datastore 192.168.0.115 Remove datastore Remove a datastore from the datacenter 192.168.0.115 .....
The outpout is too long we need to apply some filter, because with this Cmdlets we list all privileges.
2.1.1 List ParentGroupId
All authorizations are grouped, you can list them with this filter
PS C:\Users\JM2K69> Get-VIPrivilege | select -Property ParentGroupid -Unique ParentGroupId ------------- System Global Folder Datacenter Datastore Network DVSwitch DVPortgroup Host.Inventory Host.Hbr Host.Config Host.Local Host.Cim VirtualMachine.Inventory VirtualMachine.Interact VirtualMachine.GuestOperations VirtualMachine.Config VirtualMachine.State VirtualMachine.Hbr VirtualMachine.Provisioning VirtualMachine.Namespace Resource Alarm Task ScheduledTask Sessions Performance Authorization Extension VApp Profile EAM StoragePod Certificate HealthUpdateProvider ExternalStatsProvider .....
The outpout is too long so I cut it.
We can see tha for the
Object VirtualMachine we have eight subcategories.
2.1.2 List Privilege by ParentGroupId
With the Cmdlets
Parameter -Id VirtualMachine.Interact.*, you list all privilege for the interaction with a Virtual Machine .
PS C:\Users\JM2K69> Get-VIPrivilege -Id VirtualMachine.Interact.* Name Description Server ---- ----------- ------ Power on Power on or resume a virtual machine 192.168.0.115 Power off Power off a virtual machine 192.168.0.115 Suspend Suspend a virtual machine 192.168.0.115 Reset Reset (power cycle) a virtual machine 192.168.0.115 Pause or Unpause Pause or unpause a virtual machine 192.168.0.115 Answer question Answer a virtual machine run-time question 192.168.0.115 Console interaction Interact with the virtual machine console 192.168.0.115 Connect devices Connect/disconnect media and network devices 192.168.0.115 Configure CD media Configure a different media for virtual CD-ROMs 192.168.0.115 Configure floppy media Configure a different media for virtual floppies 192.168.0.115 Install VMware Tools Install VMware Tools (or mount/unmount the tool... 192.168.0.115 Guest operating system managemen... Perform management operations within the guest ... 192.168.0.115 Defragment all disks Defragment all disks on the virtual machine 192.168.0.115 Turn on Fault Tolerance Turn on Fault Tolerance for this virtual machine 192.168.0.115 Turn off Fault Tolerance Turn off Fault Tolerance for this virtual machine 192.168.0.115 Test failover Make the Secondary VM the Primary VM 192.168.0.115 Test restart Secondary VM Terminate the Secondary VM 192.168.0.115 Suspend Fault Tolerance Suspend Fault Tolerance for this virtual machine 192.168.0.115 Resume Fault Tolerance Resume Fault Tolerance for this virtual machine 192.168.0.115 Record session on virtual machine Record session on a virtual machine 192.168.0.115 Replay session on virtual machine Replay session on a virtual machine 192.168.0.115 Backup operation on virtual machine Backup operations on a virtual machine 192.168.0.115 Create screenshot Create a screenshot 192.168.0.115 Inject USB HID scan codes Inject a sequence of USB HID scan codes into th... 192.168.0.115 Perform wipe or shrink operations Perform wipe or shrink operations on Flex-SE disks 192.168.0.115 Drag and drop Drag files between a virtual machine and a remo... 192.168.0.115
2.2 Create the role
For example, if you want to create custom role named
JM2K69_Role with privileges to power on/off the virtual machine, add new disk, and configure advanced settings then the PowerCLI command used to create this custom vCenter Server role would look like this
New-VIRole -Name “JM2K69_Role” -Privilege (Get-VIPrivilege -Id VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.PowerOff,VirtualMachine.Config.AddNewDisk,VirtualMachine.Config.AdvancedConfig)
The outpout will be
PS C:\Users\JM2K69> New-VIRole -Name “JM2K69_Role” -Privilege (Get-VIPrivilege -Id VirtualMachine.Interact.PowerOn,VirtualMachine.Interact.PowerOff,Virtual Machine.Config.AddNewDisk,VirtualMachine.Config.AdvancedConfig) Name IsSystem ---- -------- JM2K69_Role False
And with PowerCLI …
PS C:\Users\JM2K69> Get-VIRole Name IsSystem ---- -------- NoCryptoAdmin True NoAccess True Anonymous True View True ReadOnly True Admin True VirtualMachinePowerUser False VirtualMachineUser False ResourcePoolAdministrator False VMwareConsolidatedBack... False DatastoreConsumer False NetworkConsumer False VirtualMachineConsoleUser False AutoUpdateUser False InventoryService.Taggi... False JM2K69_Role False com.vmware.Content.Admin False
With hundreds of privileges packaged with vCenter, it can be daunting to try and create custom roles. Some privileges that might not be obviously required can prevent a custom role from having the desired access. One suggestion is to take an existing or default role and then work from its privilege set to alter it for your uses. This can easily be done by retrieving an existing privilege set and storing them in a variable. Then you can pass this existing list of privileges into your new custom VIRole.
Written by Jérôme Bezet-Torres @JM2K69.