Close

7th September 2017

Objective 1.1 – Configure and Administer Role-based Access Control

So as promised and starting with section 1, here are resource links and guides working through the vSphere VCP6.5-DCV Certification Blueprint.

Happy revision!

VCP6.5 Certification Blueprint

Objective 1.1 – Configure and Administer Role-based Access Control

Compare and contrast propagated and explicit permission assignments

The permission model for vCenter Server systems relies on assigning permissions to objects in the vSphere object hierarchy. Each permission gives one user or group a set of privileges, that is, a role for the selected object.

Permissions

Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object.

Users and Groups

On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. The users and groups must be defined in the identity source that vCenter Single Sign-On is using to authenticate. Define users and groups using the tools in your identity source, for example, Active Directory. vSphere Security 20 VMware, Inc.

Privileges

Privileges are fine grained access controls. You can group those privileges into roles, that you can then map to users or groups.

Roles

Roles are sets of privileges. Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined on vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom roles either from scratch or by cloning and modifying sample roles

View/Sort/Export user and group lists

User lists can be exported via the export button in the bottom right of the Users and Groups page, located under Administration > SSO.

Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

To Add/Modify/Remove permission for a user and group from vCenter inventory you will need to choose an object from the inventory, click on Manage and then click on Permissions, from there you can add, edit, and remove permissions.

Determine how permissions are applied and inherited in vCenter Server

Hierarchical Inheritance of Permissions

When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. You set propagation for each permission. Propagation is not universally applied. Permissions defined for a child object always override the permissions that are propagated from parent objects.

Create/Clone/Edit vCenter Server Roles

Create a Custom Role

You can create vCenter Server custom roles to suit the access control needs of your environment.

If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.

  1. Log in to vCenter Server with the vSphere Web Client.
  2. Select Home, click Administration, and click Roles.
  3. Click the Create role action
  4. Type a name for the new role.
  5. Select privileges for the role and click OK.

Clone a Role

You can make a copy of an existing role, rename it, and edit it. When you make a copy, the new role is not applied to any users or groups and objects. You must assign the role to users or groups and objects.

If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.

  1. Log in to vCenter Server with the vSphere Web Client.
  2. Select Home, click Administration, and click Roles.
  3. Select a role, and click the Clone role action icon.
  4. Type a name for the cloned role.
  5. Select or deselect privileges for the role and click OK.

Edit a Role

When you edit a role, you can change the privileges selected for that role. When completed, these privileges are applied to any user or group that is assigned the edited role.

If you create or edit a role on a vCenter Server system that is part of the same vCenter Single Sign-On domain as other vCenter Server systems, the VMware Directory Service (vmdir) propagates the changes that you make to all other vCenter Server systems in the group. Assignments of roles to specific users and objects are not shared across vCenter Server systems.

  1. Log in to vCenter Server with the vSphere Web Client.
  2. Select Home, click Administration, and click Roles.
  3. Select a role and click the Edit role action
  4. Select or deselect privileges for the role and click OK.

Configure VMware Identity Sources

When a user logs in with just a user name, vCenter Single Sign-On checks in the default identity source whether that user can authenticate. When a user logs in and includes the domain name in the login screen, vCenter Single Sign-On checks the specified domain if that domain has been added as an identity source. You can add identity sources, remove identity sources, and change the default.

You configure vCenter Single Sign-On from the vSphere Web Client or Platform Services Controller Web interface. To configure vCenter Single Sign-On, you must have vCenter Single Sign-Onadministrator privileges. Having vCenter Single Sign-On administrator privileges is different from having the Administrator role on vCenter Server or ESXi. In a new installation, only the vCenter Single Sign-On administrator (administrator@vsphere.local by default) can authenticate to vCenter Single Sign-On.

Users can log in to vCenter Server only if they are in a domain that has been added as a vCenter Single Sign-On identity source. vCenter Single Sign-On administrator users can add identity sources from the vSphere Web Client or the Platform Services Controller interface.

An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP Server is also available.

Immediately after installation, the following default identity sources and users are available:

Local OS

All local operating system users. If you are upgrading, those local OS users who can already authenticate can continue to authenticate. Using the local OS identity source does not make sense in environments that use an embedded Platform Services Controller.

vsphere.local

Contains the vCenter Single Sign-On internal users.

To configure a new identity source

  1. From a Web browser, connect to the vSphere Web Client or the Platform Services Controller.
  2. Specify the user name and password for administrator@vsphere.local or another member of the vCenter Single Sign-On Administrators group.
  3. If you specified a different domain during installation, log in as administrator@mydomain.
  4. Navigate to the vCenter Single Sign-On configuration UI.
  5. On the Identity Sourcestab, click the Add Identity Source
  6. Select the identity source type and enter the identity source settings.
  7. Click OK.

Note: If the user account is locked or disabled, authentications and group and user searches in the Active Directory domain fail. The user account must have read-only access over the User and Group OU, and must be able to read user and group attributes. Active Directory provides this access by default. Use a special service user for improved security.

If you configured an Active Directory as an LDAP Server or an OpenLDAP identity source, click Test Connection to ensure that you can connect to the identity source.

When an identity source is added, all users can be authenticated but have the No access role. A user with vCenter Server Modify.permissions privileges can assign give users or groups of users privileges that enable them to log in to vCenter Server and view and manage objects.

Apply a role to a User/Group and to an object or group of objects

A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role allows a user to read and change virtual machine attributes

When you assign permissions, you pair a user or group with a role and associate that pairing with an inventory object. A single user or group can have different roles for different objects in the inventory.

vCenter Server provides system roles and sample roles by default.

System roles

System roles are permanent. You cannot edit the privileges associated with these roles.

Sample roles

VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify, or remove these roles.

Change permission validation settings

vCenter Server systems that use a directory service regularly validate users and groups against the user directory domain. Validation occurs at regular intervals specified in the vCenter Server settings;

  1. Browse to the vCenter Server system in the vSphere Web Client object navigator.
  2. Select Configure and click General under Settings.
  3. Click Edit and select User directory.
  4. Change the values as needed.

Options are;

User directory timeout

Timeout interval, in seconds, for connecting to the Active Directory server. This value specifies the maximum amount of time vCenter Server allows a search to run on the selected domain. Searching large domains can take a long time.

Query limit

Select the check box to set a maximum number of users and groups that vCenter Server displays.

Query limit size

Maximum number of users and groups from the selected domain that vCenter Server displays in the Select Users or Groups dialog box. If you enter 0 (zero), all users and groups appear.

Validation

Deselect the check box to disable validation

Validation Period

Specifies how often vCenter Server validates permissions, in minutes.

Determine the appropriate set of privileges for common tasks in vCenter Server

Chapter 11 of the Security guide contains in depth information and sample permission configurations;

https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf

Compare and contrast default system/sample roles

vCenter Server provides system roles and sample roles by default.

System roles

System roles are permanent. You cannot edit the privileges associated with these roles.

The default roles are organized as a hierarchy. Each role inherits the privileges of the previous role. For example, the Administrator role inherits the privileges of the Read Only role. Roles that you create do not inherit privileges from any of the system roles.

Administrator Role

Users with the Administrator role for an object are allowed to view and perform all actions on the object. This role also includes all privileges inherent in the Read Only role. If you are acting in the Administrator role on an object, you can assign privileges to individual users and groups. If you are acting in the Administrator role in vCenter Server, you can assign privileges to users and groups in the default vCenter Single Sign-On identity source. Supported identity services include Windows Active Directory and OpenLDAP 2.4.

By default, the administrator@vsphere.local user has the Administrator role on both vCenter Single Sign-On and vCenter Server after installation. That user can then associate other users with the Administrator role on vCenter Server.

No Cryptography Administrator Role

Users with the No cryptography administrator role for an object have the same privileges as users with the Administrator role, except for Cryptographic operations privileges. This role allows administrators to designate other administrators that cannot encrypt or decrypt virtual machines or access encrypted data, but that can perform all other administrative tasks.

No Access Role

Users with the No Access role for an object cannot view or change the object in any way. New users and groups are assigned this role by default. You can change the role on an object-by-object basis.

The administrator of the vCenter Single Sign-On domain, administrator@vsphere.local by default, the root user, and vpxuser are assigned the Administrator role by default. Other users are assigned the No Access role by default.

Read Only Role

Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can view virtual machine, host, and resource pool attributes but cannot view the remote console for a host. All actions through the menus and toolbars are disallowed.

Sample roles

VMware provides sample roles for certain frequently performed combination of tasks. You can clone, modify, or remove these roles.

Determine the correct permissions needed to integrate vCenter Server with other VMware products

Chapter 11 of the Security guide contains in depth information and sample permission configurations;

https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-security-guide.pdf