6.2 Examples of Shared vCenter Server Service Roles
The following table includes some examples of service provider and tenant vCenter Server roles that can be adopted to enforce customized RVAC and delegation of duties within a shared vCenter Server service that requires a wide range of operational administrator duties for tenants.
Table 2. Examples of Shared vCenter Server Service Roles
vCenter Server Role | Objects Applied to | Propagate | Role Type | Description |
Tenant Administrator | Data center object or cluster | Yes | Custom Role | This is a custom role that grants permissions required to manage the tenant’s resources. All permissions other than ones that affect global roles, data center creation, and vCenter Server configuration. |
Virtual Machine User | Data center object, folders, VMs | Yes | Sample Role | This is a built-in VMware role that grants the abilities to access the console of the VM, attach a floppy/CD to the VM, and power on/off/reboot the VM. |
Virtual Machine Administrator | Data center object, folders, VMs | Yes | Custom Role | This is a custom role that allows a user total control of a virtual machine or a host, up to and including removing that VM or host. |
Console User | Folders, VMs | No | Custom Role | This is a custom role that grants users console-only access of a virtual machine. |
Note It is often quicker to clone an existing role and modify the permissions as opposed to creating a new role and starting from scratch. However, both options exist and are equally valid when implementing a shared vCenter Server RBAC solution.
There are also a few other things to keep in mind when configuring access controls for tenants in vCenter Server. First, if a group is assigned a role, all the users in that group are given those same privileges unless the users have roles of their own already assigned. Second, if a user is assigned privileges in VMware, those privileges take precedence over the privileges of the group.