vCenter 6.x permission settings and inheritance
Article ID: 322860
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article sheds additional light on tech pubs article - Hierarchical Inheritance of Permissions
Symptoms:
This article explains how permission inheritance works on various objects and how it is propagated.
Symptoms:
This article explains how permission inheritance works on various objects and how it is propagated.
Environment
VMware vCenter Server 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
Resolution
This article talks about how permission implementation works when there are different roles applied to different objects in vCenter inventory.
If there is a need to manage different objects with a different set of roles, the hierarchy needs to be understood.
For example:
If a user is a part of 2 roles and is given the administrative role on the vCenter object and limited access at a cluster level, the child objects in a cluster will be a union of both the roles assigned to the user.
We can Manage the same user and attain apt permissions if applied to Datacenter.
In this example, Datacenter is the parent and vCenter is the grandparent.
Objects within Cluster like resource pool and Virtual Machines also inherit permissions from alternate parents such as host folder and VM folder.
Note:
If a role is applied to a Virtual Machine which is the ultimate object in the inventory, it will take effect regardless of other roles applied but the role should be added to vCenter permissions.
- 6.0 - https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
- 6.5 - https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
- 6.7 - https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html
If there is a need to manage different objects with a different set of roles, the hierarchy needs to be understood.
For example:
If a user is a part of 2 roles and is given the administrative role on the vCenter object and limited access at a cluster level, the child objects in a cluster will be a union of both the roles assigned to the user.
We can Manage the same user and attain apt permissions if applied to Datacenter.
In this example, Datacenter is the parent and vCenter is the grandparent.
Objects within Cluster like resource pool and Virtual Machines also inherit permissions from alternate parents such as host folder and VM folder.
Note:
If a role is applied to a Virtual Machine which is the ultimate object in the inventory, it will take effect regardless of other roles applied but the role should be added to vCenter permissions.
Feedback
Yes
No
Powered by
