The built-in roles for access to VirtualCenter and the managed objects are okay for many common scenarios, but some situations require additional configuration. In some cases, creating custom roles has been a viable solution. Here is how I created a role that would allow a user only to view a virtual machine’s console.
Create the role and deployment model first
Before permissions are assigned, some thought should be given to user rights and how they would be administered. In most VirtualCenter environments, the permissions would be retrieved from a Windows Active Directory domain. To make that process easier, all permissions should be assigned to VirtualCenter through Windows groups.
To create a role or modify an existing role, select the Administration button within the VMware Infrastructure Client (VI Client). From here, you can create or modify a role for your desired access. If you wanted to allow a user to view a virtual machine’s console, for example, you would create a custom role such as the specified permission below:
Applying the custom roles
The ability to view the console of specified systems can come in handy for certain situations, particularly when traditional network connectivity to the guest operating system is not possible for normal methods such as remote desktop or VNC. Creating a console view-only role would be done in the VIC on a per-object basis. A per-object basis is one in which you can assign the permission to view just the console to an ESX host, a resource pool, a data center or even a virtual machine individually. Roles to objects in VirtualCenter are always applied via the Permissions tab for the object.
To make configuration consistent, create a Windows security group with the same name in the Active Directory domain. For my custom role, the Windows group (MSS\VMSpecified-Roles-ConsoleOnly) and the VirtualCenter role (VMSpecified-Roles-ConsoleOnly) are assigned to the object below:
From this point, the clients can log into a locally install the VIC and connect per the specified permissions. Be careful, however, as a username that may have multiple roles would have the permissions of the combined roles. You can work with some propogation, but singular assignment would be a better practice. VMware provides a document fully outlining the roles architecture available for download from their website.
Audit trail of connections into the VirtualCenter
With this functionality, an auditing requirement is fully justified. Within the VirtualCenter database, you can monitor the authentication log-on and log-off events. A January SearchVMware.com ITKE post has this outlined well.