Virtualization Pro

Apr 24 2008   3:11PM GMT

VirtualCenter custom roles for delegated access

Rick Vanover Rick Vanover Profile: Rick Vanover

The built-in roles for access to VirtualCenter and the managed objects are okay for many common scenarios, but some situations require additional configuration. In some cases, creating custom roles has been a viable solution. Here is how I created a role that would allow a user only to view a virtual machine’s console.

Create the role and deployment model first

Before permissions are assigned, some thought should be given to user rights and how they would be administered. In most VirtualCenter environments, the permissions would be retrieved from a Windows Active Directory domain. To make that process easier, all permissions should be assigned to VirtualCenter through Windows groups.

To create a role or modify an existing role, select the Administration button within the VMware Infrastructure Client (VI Client). From here, you can create or modify a role for your desired access. If you wanted to allow a user to view a virtual machine’s console, for example, you would create a custom role such as the specified permission below:

Role Creation

Applying the custom roles

The ability to view the console of specified systems can come in handy for certain situations, particularly when traditional network connectivity to the guest operating system is not possible for normal methods such as remote desktop or VNC. Creating a console view-only role would be done in the VIC on a per-object basis. A per-object basis is one in which you can assign the permission to view just the console to an ESX host, a resource pool, a data center or even a virtual machine individually. Roles to objects in VirtualCenter are always applied via the Permissions tab for the object.

To make configuration consistent, create a Windows security group with the same name in the Active Directory domain. For my custom role, the Windows group (MSS\VMSpecified-Roles-ConsoleOnly) and the VirtualCenter role (VMSpecified-Roles-ConsoleOnly) are assigned to the object below:

Figure 2 - Group assignment to a role

From this point, the clients can log into a locally install the VIC and connect per the specified permissions. Be careful, however, as a username that may have multiple roles would have the permissions of the combined roles. You can work with some propogation, but singular assignment would be a better practice. VMware provides a document fully outlining the roles architecture available for download from their website.

Audit trail of connections into the VirtualCenter

With this functionality, an auditing requirement is fully justified. Within the VirtualCenter database, you can monitor the authentication log-on and log-off events. A January ITKE post has this outlined well.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: