These are the minimum permissions that a user / group needs in order to
1. First create a user or group that requires these permissions in windows (vCenter uses the local windows or AD users).
2. Then login to vCenter as an administrator.
3. From the top navigation bar, go to Home -> Roles.
4. Right click on the Roles column and click on Add..
5. Create another role called Browse Datastore and set the following Privileges
7. Give the role a name, in this case we'll call it VMUser and set the following Privileges
8. To allow the user / group to connect to vSphere and see the VMs, go to Home > Inventory > Datastores ... and select the datastore where the VMs will be stored.
9. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Browse Datastore from the dropdown. Then, click ok.
10. To allow the users deploy VMs, go to Home > Inventory > Hosts and Clusters and select the host or cluster where the user will be allowed to deploy vms.
11. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Deploy from the dropdown. Then, click ok.
12. To allow users interact with the VMs, go to Home > Inventory > VMs and Templates and select a folder that contains the templates the user / group wants to deploy.
13. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role VMUser from the dropdown. Then, click ok.
Try this configuration by opening a new vSphere Vlient and login in as the new user. vSphere client should only show the VMs and templates in the folder that was selected on step 12 and allow a minimal number of operations on both VMs and templates.
To further secure this, it is good to allow the users to deploy VMs only to a resource pool that is memory and CPU constrained.
- Deploy a VM from a template using VMWare vCenter 5.
- Interact with the VM, without being able to change its configuration.
- Delete those VMs.
1. First create a user or group that requires these permissions in windows (vCenter uses the local windows or AD users).
2. Then login to vCenter as an administrator.
3. From the top navigation bar, go to Home -> Roles.
4. Right click on the Roles column and click on Add..
5. Create another role called Browse Datastore and set the following Privileges
- Datastore
- Allocate Space
- Browse Datastore
- Remove File
- Host
- Local operations
- Create virtual machine
- Delete virtual machine
- Resource
- Assign virtual machine to resource pool
- modify resource pool
7. Give the role a name, in this case we'll call it VMUser and set the following Privileges
- Global
- Cancel Task
- Host
- Local operation
- Create virtual machine
- Delete virtual machine
- Scheduled Task (check all)
- Virtual Machine
- Iteraction
- Answer question
- Configure CD media
- Configure floppy media
- Console interaction
- Device connection
- Power off
- Power on
- Reset
- Suspend
- VMWare tools install
- Inventory
- Create from existing
- Remove
- Provisioning
- Deploy template
- State (check all)
8. To allow the user / group to connect to vSphere and see the VMs, go to Home > Inventory > Datastores ... and select the datastore where the VMs will be stored.
9. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Browse Datastore from the dropdown. Then, click ok.
10. To allow the users deploy VMs, go to Home > Inventory > Hosts and Clusters and select the host or cluster where the user will be allowed to deploy vms.
11. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role Deploy from the dropdown. Then, click ok.
12. To allow users interact with the VMs, go to Home > Inventory > VMs and Templates and select a folder that contains the templates the user / group wants to deploy.
13. On the Permissions tab, right click and select Add Permission .... Add the user / group and select the role VMUser from the dropdown. Then, click ok.
Try this configuration by opening a new vSphere Vlient and login in as the new user. vSphere client should only show the VMs and templates in the folder that was selected on step 12 and allow a minimal number of operations on both VMs and templates.
To further secure this, it is good to allow the users to deploy VMs only to a resource pool that is memory and CPU constrained.
Thanks for sharing. Perms configuration in vshepre is extremely cumbersome.
ReplyDeleteThe information given in this article is really informative and amazing.
ReplyDeletehow to assign a machine to a user in VMware
Thanks for sharing! Just one thing I changed for our deployment group was to disable inheritance/propagate = no. While i wanted our user to see the hosts, i did not desire for them to see all the VMs/Folders/ect.
ReplyDelete