Allowing Specific User Accounts to Manage Specific Virtual Machines
search cancel

Allowing Specific User Accounts to Manage Specific Virtual Machines

book

Article ID: 422297

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In vSphere Client, while operations for hosts and virtual machines are typically performed by administrators, certain requirements may necessitate granting minimal permissions to non-administrator accounts to allow them to manage specific virtual machines only.

This document provides a configuration example for the scenario described above.

Prerequisites:
    1. A non-administrator user account must be created to assign permissions for specific virtual machines.

    2. The user account will be restricted to only the following actions for the designated virtual machines:

  • Opening a Web Console connection
  • Power On
  • Power Off    
             

Environment

VMware vCenter Server 8.0.x

VMware vCenter Server 7.0.x

VMware vSphere ESXi 8.0.x

VMware vSphere ESXi 7.0.x

Resolution

 Steps to create a user account and roles to achieve the prerequisites:

     1. Create a user account:

    1. Login to vSphere Client by administrator account. 
    2. Choose [Administration] > [Single Sign-On] > [Users and Groups] 
    3. At [Users and Groups] menu, choose "Domain" to vsphere.local
    4. Click [ADD] icon and create a user account (e.g. Username : testuser1)
    5. The created user "testuser1" account is listed in [Users and Groups] menu.

    2. Create a role :

    1. Login to vSphere Client by administrator account.  
    2. Choose [Administration] > [Access Control] > [Roles] 
    3. Click [NEW] and create a role with the following privileges:
         - Role name: VMInteractionUserRole     
         - Roles : "Power on", "Power off", and "Console interaction" under [Virtual machine] >  [Interaction]
       Note:"Role name" is a sample and can be replaced with any other unique name.
    4. After creating the new role, the assigned privileges can be confirmed by selecting it in the role list:

  3.  Assign the role to the user account:

    1. Choose the target VM in the inventory, right click and select [Add Permission]



    2. Select the user account and the role created by the above steps, then click [OK].



    3. Login to vSphere Client by [email protected] account.
    4. Confirm only Power On, Power Off and Web Console connection are allowed to the target VM. 
Powered by Wolken Software