Monday, November 14, 2011

VCP5 - Identify common vCenter Server privileges and roles

There are 9 default roles in vSphere - 6 sample roles, and 3 standard.

Default Roles
Role
Role Type
Description of User Capabilities
No Access
system
Cannot view or change the assigned object.
vSphere Client tabs associated with an object appear without content.
Can be used to revoke permissions that would otherwise be propagated to an object from a parent object.
Available in ESXi and vCenter Server.
Read Only
system
View the state and details about the object.
View all the tab panels in the vSphere Client except the Console tab. Cannot perform any actions through the menus and toolbars.
Available on ESXi and vCenter Server.
Administrator
system
All privileges for all objects.
Add, remove, and set access rights and privileges for all thevCenter Server users and all the virtual objects in the vSphere environment.
Available in ESXi and vCenter Server.

Note
Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role.
Virtual Machine Power User
sample
A set of privileges to allow the user to interact with and make hardware changes to virtual machines, as well as perform snapshot operations.
Privileges granted include:

All privileges for the scheduled task privileges group.
Selected privileges for global items, datastore, and virtual machine privileges groups.
No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Usually granted on a folder that contains virtual machines or on individual virtual machines.
Available on vCenter Server.
Virtual Machine User
sample
A set of privileges to allow the user to interact with a virtual machine’s console, insert media, and perform power operations. Does not grant privileges to make virtual hardware changes to the virtual machine.
Privileges granted include:

All privileges for the scheduled tasks privileges group.
Selected privileges for the global items and virtual machine privileges groups.
No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
Usually granted on a folder that contains virtual machines or on individual virtual machines.
Available on vCenter Server.
Resource Pool Administrator
sample
A set of privileges to allow the user to create child resource pools and modify the configuration of the children, but not to modify the resource configuration of the pool or cluster on which the role was granted. Also allows the user to grant permissions to child resource pools, and assign virtual machines to the parent or child resource pools.
Privileges granted include:

All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
Selected privileges for resource and permissions privileges groups.
No privileges for datacenter, network, host, sessions, or performance privileges groups.
Additional privileges must be granted on virtual machines and datastores to allow provisioning of new virtual machines.
Usually granted on a cluster or resource pool.
Available on vCenter Server.
Datastore Consumer
sample
A set of privileges to allow the user to consume space on the datastores on which this role is granted. To perform a space-consuming operation, such as creating a virtual disk or taking a snapshot, the user must also have the appropriate virtual machine privileges granted for these operations.
Usually granted on a datastore or a folder of datastores.
This role is available on vCenter Server.
Network Consumer
sample
A set of privileges to allow the user to assign virtual machines or hosts to networks, if the appropriate permissions for the assignment are also granted on the virtual machines or hosts.
Usually granted on a network or folder of networks.
Available on vCenter Server.


http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.vcenterhost.doc_50/GUID-E1D90120-73EB-4B00-9F89-8650EBE911F7.html

No comments: