Follow these steps to assign vSphere permissions and roles (original) (raw)

Admins can use vSphere permissions to assign VM controls to different IT groups within their enterprise. Follow the networking example below to get started.

The role of permissions in vSphere management is to segregate VM control among different application support teams. A permission is a pairing of a user or group with a role, and it is applied to an object, such as a data store or VM.

To understand how to use vSphere permissions, it's helpful to follow an example. To give the networking team the ability to attach a VM to a port group, for instance, you'll need to create a role and then assign the networking team that role.

Step 1: Create the role

To open the vSphere Web Client and go to the homepage, click the house icon at the top, and then click Roles under Administration.

Image 1: The vSphere Web Client homepage.

To create a new role, click the green plus button. Give your role a name. In this example, the name is Connect_Network. Then, assign some privileges to the role. We will only add the Assign network privilege from the network group. Click OK to create your new role.

Image 2: Create a role in vSphere.

Step 2: Assign the role to a group

Switch to an inventory view. In this example, we will use the Networking view. To assign the Admin_Network group the ability to connect VMs to any port group in my Lab data center, right click the data center and click Add Permission...

Image 3: Add Permissions.

In the Add Permission dialogue, click the Add button at the bottom. In the Select Users/Groups dialogue, find the user that you want to assign permission -- in this case, the Admin_Network group -- then click Add and OK.

Image 4: Choose a user or group.

Back on the Add Permission screen, select the role we created, Connect_Network, from the drop-down list in the Assigned Role box, and then click OK.

Image 5: Select a role.

Now all members of the Admin_Network group can connect VMs to any port group in the data center. Click the Manage tab and then the Permissions tab to see each user's vSphere permissions. You can see the most recently added permission at the top of this list, along with all of the other permissions.

Image 6: See each user's permissions in the Permissions tab.

vSphere permissions are a little complicated. To change and connect the VM to a port group and then add it to the Connect_Network role, the Admin_Network team must have the Virtual Machine Settings privilege.

Image 7: Give the Admin_Network team the Virtual Machine Settings privilege.

You can use the same methods to control which users can put VM disks on data stores or create VMs on particular vSphere clusters. Create the roles you need and assign them to groups for different objects.

Next Steps

Keep your vSphere environment secure

Is SD-WAN right for your network architecture?

What to know about VMware Identity Manager before deployment

Dig Deeper on Data center ops, monitoring and management

• 3 Keycloak authorization strategies to secure app access By: Kyle Johnson
• How to work with the new Windows LAPS feature By: Brien Posey
• How to implement principle of least privilege in Azure AD By: Kyle Johnson
• Windows Admin Center By: Katie Terrell Hanna

Related Q&A from Alastair Cooke

Are hyper-converged infrastructure appliances my only HCI option?

Preconfigured hyper-converged appliances aren't your only option anymore. Software-only and build-your-own hyper-converged infrastructure have unique...Continue Reading

How do I size the physical server to host virtual machines?

I want to convert a physical machine to a virtual machine. How can I select and size the right server infrastructure to host VMs?Continue Reading