vCenter Server Cloud Provider Use Cases and Architectures : Understanding vCenter Server Role-Based Access Control
   
Understanding vCenter Server Role-Based Access Control
One key service design consideration in a shared vCenter Server environment is determining who can use vCenter Server, and what tasks those tenant users are authorized to perform. vCenter Server has a built-in role-based access control mechanism for tenant access and authorization.
RBAC is the security mechanism that can greatly lower the cost and complexity of shared vCenter Server security administration. RBAC simplifies security operations by using roles, hierarchies, and constraints to organize privileges. vCenter Server offers flexible role-based access control to define the roles and privileges for different tenant administrators within the vCenter Server environment.
Roles and privileges in the vCenter Server system can easily be modified and new roles quickly created. Service provider administrators can focus on defining policies needed by their tenants to provision compute infrastructure and network connectivity while provider and tenant collaborate on strategic architectural and security issues. Meanwhile, the implementation of basic server configuration can be automated.
Figure 16. Role-Based Access Control Architecture
 
vCenter Server provides centralized authentication and authorization services at many different levels within its inventory, using user and group rights with roles and privileges. vCenter Server features five main components for managing RBAC. Key concepts in this system are described in the following figure.
Figure 17. Key Role-Based Access Control Concepts
 
If proper role-based access controls are not in place within a shared vCenter Server environment, virtual machines will be vulnerable, because any user with access to the vSphere client can delete or modify the guest operating systems or make changes to other inventory objects, like folders, resource pools, and datastores.
In addition, roles can be customized to include or exclude any of the privileges in vCenter Server. vCenter Server comes with predefined roles. However, you can also customize roles to meet your specific service design and operational needs. vCenter Server predefined roles determine what actions a user or group is allowed to take within vCenter Server nodes across the infrastructure (where a single SSO authentication domain exists) or potentially, directly on VMware ESXi™ hosts, depending on whether or not the hypervisors are domain joined or not. Some roles have one or more privileges, while others have no privileges at all.
Three of the predefined roles are permanent, meaning that you cannot change the privileges associated with these roles. These permanent roles are available to a standalone ESXi server, or to a vCenter Server system. The remaining are sample roles that can be modified as needed. Note that since the release of ESXi 5.1, the creation of custom local groups is not supported on the host directly.
 
The following table describes the pre-established roles.
Table 1. Predefined Roles
Roles
Role Type
Description
No Access
Permanent
A role that is assigned to new users and groups. Prevents a user or group from viewing or making changes to an object.
Read-Only
Permanent
A role that allows users to check the state of an object or view its details, but not make changes to it.
Administrator
Permanent
A role that enables a user complete access to all of the objects on the server. At least one user must have administrative permissions in VMware.
Virtual Machine Power User
Sample Role
A role that grants a user access rights to only virtual machines. The user can alter the virtual hardware or create snapshots of the VM.
Virtual Machine User
Sample Role
Grants user access rights exclusively to VMs. The user can power on, power off, and reset the virtual machine, as well as run media from the virtual discs.
Resource Pool Administrator
Sample Role
Allows the user to create resource pools (RAM and CPU reserved for use) and assign these pools to virtual machines.
VMware Consolidated Backup User
Sample Role
Required to allow VMware Consolidated Backup to run (legacy role).
Datastore Consumer
Sample Role
Allows the user to consume space on a datastore.
Network Consumer
Sample Role
Allows the user to assign a network to a virtual machine or a host.
 
Note When you assign a user permission to manage only a specific VM, when they log into vCenter Server, they will only see the data center object and that VM (unless permissions have been specifically applied to a higher level). They will not see any other VMs, the ESXi host that the VM is on, clusters, resource pools, and so on.
 
Figure 18. vCenter Server Default Roles
C:\F0626285\6C962721-C9F0-43B0-B4FF-AFD03A26DC73_files\image014.jpg
 
The privileges assigned to a predefined role are more comprehensive than described in the previous table, so if you want to know exactly what permissions a role provides to a user, you can view the selected privileges when assigning the role to a user or group.
VMware automatically allows users access to child objects. For example, if a user has been given read-only rights for a folder, that user will have read-only rights for all of the sub-folders as well. You can disable this setting by selecting do not propagate when allocating roles.
You can change the privileges associated with the predefined roles. Before editing a role, however, VMware recommends that you clone the role first to maintain the default sample roles for future use. It’s a simple task to clone or create a new set of customized roles that map specifically to the requirements of the service provider. For example, you can create custom roles such as one for providing access for rebooting the virtual machines to a particular user. Additional examples of custom roles are described in Section 6.2, Examples of Shared vCenter Server Service Roles .