Managing VMware VirtualCenter

Roles and Permissions
Table of Contents
Introduction ............................................................................................................ 3
VirtualCenter Objects and Permissions ................................................................. 3
Built-in and Custom roles ...................................................................................... 4
Task-based Privilege assignment .......................................................................... 6
Creating a Virtual Machine ............................................................................... 6
Inventory Manipulation .................................................................................... 7
Networking, Storage, and Host Maintenance .................................................. 7
Creating Custom roles ........................................................................................... 8
example: allowing Template Deployment to a resource Pool ........................ 8
example: Network administrator ..................................................................... 9
example: VMware Consolidated Backup User .................................................. 10
recommendations for VirtualCenter roles ............................................................ 10
appendix: Perl Script for Listing all role assignments ........................................ 12
about the author .................................................................................................... 14
Oro koy n.r.gonort |r . \V...o |r| orv|.cr
nort |s Joto.n|r|rg .|c c.r Jso \V...o \|.tJ.|´orto. .rJ
.|.t t.sks t|cso Jso.s ..o .Jt|c.|.oJ tc po.|c.n ¯|o po.scr
.|c |.s t|o .c|o c| .Jn|r| |c. t|o syston |s .Jt|c.|.oJ
tc .ss|gr t|o .|g|ts rooJoJ by ct|o. Jso.s Coro..||y, cr|y .
||n|toJ sot c| pocp|o s|cJ|J bo g|vor t|o .Jn|r| .c|o ||
ycJ ..o t|o .Jn|r|, ycJ s|cJ|J t|or Jso \|.tJ.|´orto.
.c|os, Josc.|boJ |r t|o soct|crs t|.t |c||c., tc Jo| n.r.go
nort c| |S` So.vo. |csts .rJ v|.tJ.| n.c||ros tc ct|o.s
¯||s p.po. |rt.cJJcos ycJ tc t|o ..y \|.tJ.| |r| 3
ccrt.c|s .ccoss tc .oscJ.cos .rJ Josc.|bos toc|r|,Jos ycJ c.r
Jso tc .ss|gr .pp.cp.|.to .ccoss .|g|ts o|||c|ort|y |t oxp|.|rs t|o
ccrcopt c| .c|os,|Jos |r|c.n.t|cr tc |o|p |r t|o Jos|gr c|
cJstcn .c|os, .rJ g|vos .occnnorJ.t|crs |c. |c. tc .c.k .|t|
.c|os .rJ p.|v||ogos |r \|.tJ.|´orto.
VirtualCenter Objects and Permissions
¯|o .Jt|c.|..t|cr tc po.|c.n t.sks |r \V...o |r| |s
gcvo.roJ by .r .ccoss ccrt.c| syston ¯||s syston .||c.s t|o
\|.tJ.|´orto. .Jn|r| — Js|rg t|o \|.tJ.| |r|
´||ort — tc spoc||y |r g.o.t Jot.|| .||c| Jso.s c. g.cJps c.r
po.|c.n .||c| t.sks cr .||c| cb¦octs |t |s Jo||roJ Js|rg t|.oo
koy ccrcopts
• Privilege — ¯|o .b|||ty tc po.|c.n . spoc|||c .ct|cr c. .o.J
. spoc|||c p.cpo.ty ||os |rc|JJo pc.o.|rg cr . v|.tJ.|
n.c||ro .rJ c.o.t|rg .r .|..n
• Role — A cc||oct|cr c| p.|v||ogos |c|os|Jo . ..y tc .|| t|o |rJ|v|JJ.| p.|v||ogos t|.t ..o .o,J|.oJ tc
po.|c.n . ||g|o.|ovo|, sJc| .s .Jn|r|sto. . v|.tJ.|
• Object — Ar ort|ty Jpcr .||c| .ct|crs ..o po.|c.noJ
\|.tJ.|´orto. cb¦octs ..o J.t.corto.s, |c|Jo.s, pcc|s,
c|Jsto.s, |csts, .rJ v|.tJ.| n.c||ros
||gJ.o 1 s|c.s t|o ||o...c|y c| cb¦octs ycJ c.r n.r.go |r t|o
\|.tJ.| |r| ´||ort
|r .JJ|t|cr, \|.tJ.|´orto. JoporJs Jpcr t|o Jso.s .rJ g.cJps
Jo||roJ |r ycJ. Act|vo ||.octc.y orv|.crnort c. cr t|o |cc.|
\|rJc.s so.vo. cr .||c| \|.tJ.|´orto. .Jrs Oro koy pc|rt tc
rcto |s t|.t .r |S` So.vo. |cst c.r |.vo |ts c.r sot c| Jso.s
Managing VMware VirtualCenter roles and Permissions
.rJ g.cJps t|.t |s |rJoporJort c| t|o Act|vo ||.octc.y Jso.s
.rJ g.cJps || ycJ ..o Js|rg \|.tJ.|´orto., ycJ s|cJ|J .vc|J
Jo||r|rg .ry Jso.s cr t|o |S` So.vo. |cst boycrJ t|cso t|.t
..o c.o.toJ by Jo|.J|t ¯||s .pp.c.c||Jos botto. n.r.go
.b|||ty, boc.Jso t|o.o |s rc rooJ tc syrc|.cr|.o t|o t.c ||sts || .
Jso. c. g.cJp |s .JJoJ c. JpJ.toJ cr cro c| t|o systons |t .|sc
|np.cvos socJ.|ty, boc.Jso |t n.kos |t pcss|b|o |c. .|| po.n|s
s|crs tc bo n.r.goJ |r cro p|.co |c. . |J|| Josc.|pt|cr c| t|o
..y |S` So.vo. .rJ \|.tJ.| |r| ´||ort .occgr|.o .rJ
n.r.go Jso.s .rJ g.cJps, soo t|o soct|crs “|so.s” .rJ “C.cJps”
|r ´|.pto. 15 c| t|o n.rJ.| Basic System Administration |r ycJ.
\V...o |r| JccJnort.t|cr
||gJ.o 2 s|c.s t|o .o|.t|crs||p bot.oor .c|os, cb¦octs, .rJ
Jso.s ¯cgot|o. t|oy Jo||ro . po.n|ss|cr ¯|o .c|o Jo||ros t|o
.ct|crs t|.t c.r bo po.|c.noJ |so.s .rJ g.cJp |rJ| .|c
c.r po.|c.n t|o .ct|cr, .rJ t|o cb¦oct |s t|o c| t|o
.ct|cr |.c| ccnb|r.t|cr c| Jso. c. g.cJp, .c|o, .rJ cb¦oct
nJst bo spoc|||oJ |r ct|o. .c.Js, t|o .Jn|r| ||.st so|octs
.r cb¦oct |.cn t|o cvo..|| \|.tJ.|´orto. |rvortc.y, t|or so|octs
root folder
folder folder
resource pool
resource pool
resource pool
Hosts and Clusters
Virtual Machines and Templates
Figure 1 — The Virtual Infrastructure Client object hierarchy
. .c|o tc bo .ss|groJ tc t|.t cb¦oct, t|or so|octs t|o Jso. c.
g.cJp tc .||c| t||s po.n|ss|cr po.t.|rs |c. Jot.||oJ |rst.Jc
t|crs, soo t|o soct|cr “Ass|gr|rg Accoss |o.n|ss|crs” |r c|.pto.
15 c| t|o Basic System Administration gJ|Jo
¯|o.o ..o nc.o t|.r 100 p.|v||ogos, .||c| .cJg||y cc..ospcrJ
tc |rJ|v|JJ.| .ct|crs . \|.tJ.|´orto. Jso. c.r t.ko ¯|oy ..o
g.cJpoJ ||o...c||c.||y |r t|o \|.tJ.| |r| ´||ort
|c. ccrvor|orco ApporJ|x A c| t|o n.rJ.| Basic System
Administration |r ycJ. \V...o |r| JccJnort.t|cr
Josc.|bos .|| c| t|o p.|v||ogos
|c. o.c| po.n|ss|cr, ycJ c.r Joc|Jo .|ot|o. t|o po.n|ss|cr
p.cp.g.tos Jc.r t|o cb¦oct ||o...c|y tc .|| sJbcb¦octs, c. ||
|t .pp||os cr|y tc t|.t |nnoJ|.to cb¦oct |c.|o, ycJ c.r
|.vo . .c|o c.||oJ |.t.corto. AJn|r|, .||c| g|vos . Jso.
p.|v||ogos tc n.r.go |csts, rot.c.k, .rJ, bJt t|or
c|ccso |c. t|.t .c|o rct tc g..rt t|.t Jso. .Jn|r|st..t|vo p.|v|
|ogos |c. v|.tJ.| n.c||ros cr t|cso |csts |r .|rg,
ycJ c.r g..rt . Jso. vo.y ||n|toJ po.n|ss|crs ,|c.|o,
.o.Jcr|y) |.cn t|o J.t.corto. |ovo| cr Jc.r...J, t|or g..rt
nc.o po.n|ss|vo .c|os cr co.t.|r sJbcb¦octs, |c.|o, .
|c|Jo. c| v|.tJ.| n.c||ros
|r .JJ|t|cr tc spoc||y|rg .|ot|o. po.n|ss|crs goro..||y p.cp. Jc.r...J, ycJ c.r cvo..|Jo po.n|ss|crs sot .t . ||g|o.
|ovo| by oxp||c|t|y sott|rg J|||o.ort po.n|ss|crs |c. . |c.o.|ovo|
cb¦oct |c.|o, ycJ n|g|t g|vo . Jso. .o.Jcr|y po.n|s
s|cr .t t|o J.t.corto. |ovo| .rJ .Jn|r| po.n|ss|cr |c.
. p..t|cJ|.. |c|Jo. || ycJ sot t|o .Jn|r| po.n|ss|cr tc, t|.t po.n|ss|cr .|sc .pp||os tc .|| b..rc|os bo|c.
t|.t p..t|cJ|.. |c|Jo. || ycJ sot t|o .Jn|r| po.n|ss|cr
bJt Jc rct sot |t tc, t|o Jso. |.s rc .|g|ts .t .|| cr
b..rc|os bo|c. t|.t p..t|cJ|.. |c|Jo. — rct ovor .o.Jcr|y
Note: ¯|o.o |s . krc.r |ssJo |r \|.tJ.|´orto. 201 .rJ |c.o.
t|.t c.Jsos . n|s|o.J|rg J|sp|.y |rJ|c.t|rg .o.Jcr|y po.
n|ss|cr .t |c.o. |ovo|s ovor .|or p.cp.g.t|cr |s rct sot ¯||s
|ssJo .||octs cr|y t|o J|sp|.y |r t|o Jso. |rto.|.co ¯|o .ctJ.|
po.n|ss|crs ..o sot .s Josc.|boJ |r t||s p.po.
¯|o rc.n.| p.ccoss c| sott|rg Jp Jso.s, g.cJps, .rJ po.n|ss|crs
c.r g..rt . Jso. J|||o.|rg po.n|ss|crs cr t|o cb¦oct ¯||s
c.r |.ppor o.s||y ||, |c.|o, t|o Jso. bo|crgs tc t.c J|||o.
ort g.cJps .rJ t|o t.c g.cJps |.vo J|||o.ort po.n|ss|crs cr
t|o cb¦oct |r t||s, t|o Jso. |s g..rtoJ po.n|ss|crs t|.t ..o
. Jr|cr c| t|o g.cJps’ po.n|ss|crs |c.|o, || cro g.cJp |s
.||c.oJ tc pc.o. cr v|.tJ.| n.c||ros .rJ t|o ct|o. |s .||c.oJ
tc t.ko|cts, t|or . Jso. .|c |s . nonbo. c| bct| g.cJps
c.r Jc bct| || .r |rJ|v|JJ.| Jso. |.s .r oxp||c|t po.n|ss|cr sot
cr t|o cb¦oct, |c.ovo., t||s |rJ|v|JJ.| po.n|ss|cr cvo..|Jos
.|| |np||oJ g.cJp po.n|ss|crs |c.|o, || . .c|o t|.t Jcos
rct po.n|t pc.o.|rg cr v|.tJ.| n.c||ros c. t.k|rg|cts
|s g..rtoJ tc . Jso. oxp||c|t|y cr t|.t cb¦oct, t|o Jso. c.rrct
po.|c.n o|t|o. .ct|cr
Built-in and Custom roles
\|.tJ.|´orto. .rJ |S` So.vo. |csts|Jo Jo|.J|t .c|os
• System roles – Syston .c|os ..o po.n.rort .rJ t|o
p.|v||ogos .sscc|.toJ .|t| t|oso .c|os c.rrct bo c|.rgoJ
¯|o t|.oo syston .c|os ..o |c Accoss, |o.JOr|y, .rJ
AJn|r| ¯|o |.tto. t.c .|sc ox|st |r \|.tJ.|´orto. 1x
• Sample roles –|o .c|os ..o|JoJ |c. ccrvor|orco
.s gJ|Jo||ros .rJ sJggost|crs ¯.b|o 1 ||sts t|o|o .c|os |r
\|.tJ.|´orto. 2x |cto t|.t t.c c| t|oso .c|os ..o no.rt tc
onJ|.to t|o .c|os .|t| t|o r.nos |r \|.tJ.|´orto. 1x
¯|o AJn|r| .c|o |s t|o ncst pc.o.|J| cro |r
\|.tJ.|´orto. |t ossort|.||y .||c.s t|o Jso. tc po.|c.n ovo.y
.v.||.b|o .ct|cr |r \|.tJ.|´orto. +cJ s|cJ|J g..rt t||s .c|o tc
.s |o. Jso.s .s pcss|b|o ¯|o |o.JOr|y .c|o .||c.s t|o Jso. tc
v|o. t|o .rJ ccr||gJ..t|cr c| cb¦octs .|t|cJt ncJ||y
|rg t|on ¯|o |c Accoss .c|o p.ovorts . Jso. |.cn soo|rg .ry
cb¦octs |t |s o,J|v.|ort tc .ss|gr|rg rc .c|o tc . Jso. |c. . p..
t|cJ|.. cb¦oct ¯|o |c Accoss .c|o |s Jso|J| |r ccr¦Jrct|cr .|t|
ct|o. .c|os tc ||n|t t|o|. sccpo, .s s|c.r |r .r|o |.to. |r
t||s p.po.
¯|o bJ||t|r .c|os|Jo . ..y tc got st..toJ .|t| \|.tJ.|´orto.
po.n|ss|crs n.r.gonort by stJJy|rg ¯.b|o 1, t|or ox.n|r|rg
t|o p.|v||ogos c| o.c| .c|o |r t|o \| ´||ort, ycJ c.r Joto.n|ro
.||c| .c|os ..o .pp.cp.|.to |c. t|o po.scrro| |r ycJ. orv|.cr
nort bo.. |r n|rJ t|.t . .c|o nJst bo .pp||oJ tc .r cb¦oct
|c. . spoc|||oJ Jso. c. g.cJp |r c.Jo. tc . po.n|ss|cr
+cJ s|cJ|J Joc|Jo .||c| cb¦oct |r t|o |rvortc.y ||o...c|y |s
t|o .pp.cp.|.to cro tc .||c| tc .pp|y t|o .c|o |c.|o,
|rsto.J c| g..rt|rg t|o \|.tJ.| V.c||ro AJn|r| .c|o
tc scnocro cr |rJ|v|JJ.| v|.tJ.| n.c||ros, ycJ c.r g.cJp
so|octoJ v|.tJ.| n.c||ros |r . |c|Jo., t|or .pp|y t||s .c|o tc t|o
|c|Jo., .|t| p.cp.g.t|cr or.b|oJ
User/Group Object
Figure 2 — The conceptual structure of a permission
|r ncst c.sos, ycJ s|cJ|J or.b|o p.cp.g.t|cr .|or .ss|gr|rg .
.c|o ¯||s p.ovorts ccr|Js|cr .|or . ro. cb¦oct |s |rso.toJ |rtc
t|o |rvortc.y ||o...c|y, || p.cp.g.t|cr |s rct sot, |t n|g|t rct bo
c|o.. .|y . Jso. |.s rc po.n|ss|crs cr t|o ro. cb¦oct |rsto.J
c| J|s.b||rg p.cp.g.t|cr, ycJ c.r oxp||c|t|y ||n|t t|o oxtort c|
. .c|o by Js|rg t|o |c Accoss .c|o |c.|o, ycJ c.r g..rt
t|o \|.tJ.|´orto. |c.o. |so. .c|o cr . |c|Jo. c| v|.tJ.| n.c||ros
tc . g.cJp \|t| p.cp.g.t|cr or.b|oJ, t|o .c|o |s g..rtoJ
cr .|| v|.tJ.| n.c||ros |r t|.t |c|Jo. .t .ry g|vor t|no, .rJ
ycJ Jc rct rooJ tc .JJ .rJ .oncvo t|oso p.|v||ogos cr v|.tJ.|
n.c||ros .s t|oy ccno .rJ gc |.cn t|o |c|Jo. |c.ovo., ||
ycJ ..rt tc |.vo . sJb|c|Jo. c| v|.tJ.| n.c||ros t|.t s|cJ|J
rct bo Js.b|o by t||s g.cJp, ycJ c.r .ss|gr t|o |c Accoss .c|o
cr t|.t spoc|||c sJb|c|Jo. ¯|o v|.tJ.| n.c||ros |r t|o spoc|||oJ
sJb|c|Jo. ..o rc. o||oct|vo|y |rv|s|b|o tc Jso.s |r t||s g.cJp, t|o
sott|rg o||oct|vo|y n.sks t||s |c|Jo. |c. t|o g.cJp
¯|o .c|ooJ|t|rg |.c|||t|os |r t|o \|.tJ.| |r| ´||ort .||c.
ycJ tc p.|v||ogo sots t|.t| ycJ. Jso. rooJs +cJ
c.r cJstcn .c|os o|t|o. |r \|.tJ.|´orto. c. J|.oct|y cr .r
|S` So.vo. |cst |c.ovo., t|o .c|os ycJ J|.oct|y cr .r
|S` So.vo. |cst ..o rct .ccoss|b|o .|t||r \|.tJ.|´orto. +cJ c.r
.c.k .|t| t|oso .c|os cr|y || ycJ |cg |r tc t|o |cst J|.oct|y |.cn
t|o \|.tJ.| |r| ´||ort
Oro ccrvor|ort ..y tc . cJstcn .c|o |s tc st..t .|t|
.r ox|st|rg .c|o, t|or n.ko ncJ|||c.t|crs tc |t |r t|o \|.tJ.|
|r| ´||ort, .|g|tc||ck|rg cr . .c|o .rJ so|oct|rg Clone
p.cJJcos . ccpy c| t|o .c|o +cJ c.r t|or t|o .c|o .rJ
ncJ||y t|o p.|v||ogos .pp.cp.|.to|y
Note: || .ry .c|o |s g..rtoJ cr .r cb¦oct |c. . Jso., t|.t Jso. |s
.b|o tc v|o. .|| t|o |r|c.n.t|cr |c. t|.t cb¦oct |r ct|o. .c.Js,
t|o Jso. n|g|t |.vo p.|v||ogos tc po.|c.n cr|y co.t.|r t.sks bJt
.|sc |.s t|o o,J|v.|ort c| .o.Jcr|y p.|v||ogos |c.||rg
o|so t|.t po.t.|rs tc t|.t cb¦oct ¯|o.o|c.o, ycJ nJst bo c..o|J|
.bcJt g..rt|rg v|s|b|||ty tc Jso.s cr co.t.|r p..ts c| t|o |r|..
st.JctJ.o t|.t n|g|t rct bo |rtorJoJ
Role User Capabilities
\|.tJ.| V.c||ro |so.
,o,J|v.|ort tc t|o .c|o
.|t| t|o |r
\|.tJ.|´orto. 1x)
|o.|c.n .ct|crs cr v|.tJ.| n.c||ros cr|y
|rto..ct .|t| v|.tJ.| n.c||ros, bJt rct c|.rgo t|o v|.tJ.| n.c||ro ccr||gJ..t|cr ¯||s |rc|JJos
• A|| p.|v||ogos |c. t|o sc|oJJ|oJ t.sks p.|v||ogos g.cJp
• So|octoJ p.|v||ogos |c. t|o g|cb.| |tons .rJ v|.tJ.| n.c||ro p.|v||ogos g.cJps
• |c p.|v||ogos |c. t|o |c|Jo., J.t.corto.,, rot.c.k, |cst,, .|..ns, soss|crs, po.|c.n.rco, .rJ
po.n|ss|crs p.|v||ogos g.cJps
\|.tJ.| V.c||ro |c.o. |so. |o.|c.n .ct|crs cr t|o v|.tJ.| n.c||ro .rJ cb¦octs
|rto..ct .rJ c|.rgo ncst v|.tJ.| n.c||ro ccr||gJ..t|cr sott|rgs, t.ko|cts, .rJ sc|oJJ|o t.sks ¯||s
• A|| p.|v||ogos |c. sc|oJJ|oJ p.|v||ogos g.cJp
• So|octoJ p.|v||ogos |c. g|cb.| |tons,, .rJ v|.tJ.| n.c||ro p.|v||ogos g.cJps
• |c p.|v||ogos |c. |c|Jo., J.t.corto., rot.c.k, |cst,, .|..ns, soss|crs, po.|c.n.rco, .rJ po.n|ss|crs
p.|v||ogos g.cJps
| |cc| AJn|r| |o.|c.n .ct|crs cr, |csts, v|.tJ.| n.c||ros, .oscJ.cos, .rJ .|..ns
|.cv|Jos Jo|og.t|cr .rJ |s .ss|groJ tc pcc| |rvortc.y cb¦octs ¯||s |rc|JJos
• A|| p.|v||ogos |c. |c|Jo., v|.tJ.| n.c||ro, .|..ns, .rJ sc|oJJ|oJ p.|v||ogos g.cJps
• So|octoJ p.|v||ogos |c. g|cb.| |tons,,, .rJ po.n|ss|crs p.|v||ogos g.cJps
• |c p.|v||ogos |c. J.t.corto., rot.c.k, |cst, soss|crs, c. po.|c.n.rco p.|v||ogos g.cJps
|.t.corto. AJn|r| |o.|c.n .ct|crs cr g|cb.| |tons, |c|Jo.s, J.t.corto.s,, |csts, v|.tJ.| n.c||ros, .oscJ.cos, .rJ .|..ns
Sot Jp J.t.corto.s, bJt .|t| ||n|toJ .b|||ty tc |rto..ct .|t| v|.tJ.| n.c||ros ¯||s |rc|JJos
• A|| p.|v||ogos |c. |c|Jo., J.t.corto.,, rot.c.k,, .|..ns, .rJ sc|oJJ|oJ p.|v||ogos g.cJps
• So|octoJ p.|v||ogos |c. g|cb.| |tons, |cst, .rJ v|.tJ.| n.c||ro p.|v||ogos g.cJps
• |c p.|v||ogos |c. soss|cr, po.|c.n.rco, .rJ po.n|ss|cr p.|v||ogos g.cJps
\|.tJ.| V.c||ro AJn|r|
,o,J|v.|ort tc t|o .c|o
.|t| t|o |r
\|.tJ.|´orto. 1x)
|o.|c.n .ct|crs cr g|cb.| |tons, |c|Jo.s, J.t.corto.s,, |csts, v|.tJ.| n.c||ros, .oscJ.cos, .|..ns, .rJ
soss|crs ¯||s |rc|JJos
• A|| p.|v||ogos |c. .|| p.|v||ogo g.cJps, oxcopt po.n|ss|crs
Table 1 — Sample roles included in VirtualCenter 2.x
Task-based Privilege assignment
|c|os g.t|o. tcgot|o. co.t.|r p.|v||ogos, n.k|rg |t s|np|o. tc
.ss|gr t|cso p.|v||ogos tc Jso.s c. g.cJps |r ncst c.sos, t|o c| t|o p.|v||ogo |rJ|c.tos t|o t|.t |t .||c.s . Jso. tc
po.|c.n |c.ovo., t|o.o ..o scno t.sks t|.t .o,J|.o . ccc.
J|r.toJ sot c| p.|v||ogos tc bo or.b|oJ ¯||s soct|cr p.osorts
scno|os c| sJc| t.sks, .rJ .|.t p.|v||ogos ..o .o,J|.oJ
tc or.b|o t|on tc bo po.|c.noJ |r t|o|. ort|.oty
Creating a Virtual Machine
¯.b|o 2 p.osorts .|| t|o p.|v||ogos .o|.toJ tc c.o.t|rg . ro.
v|.tJ.| n.c||ro .rJ t|o cb¦octs tc .||c| t|oy s|cJ|J bo
Sovo..| pc|rts Joso.vo spoc|.| .ttort|cr
• read-Only role — As s|c.r |r ¯.b|o 2, |c. t|o Jso. |r t||s|o, ycJ nJst .pp|y t|o |o.JOr|y .c|o |c. t|o J.t.cor
to. t|.t ccrt.|rs t|o cr .||c| t|o v|.tJ.| n.c||ro
.||| .os|Jo c. cr . |c|Jo. ccrt.|r|rg t|o J.t.corto. ¯||s
sott|rg .||c.s t|o|s|cr|rg cpo..t|cr tc Joto.n|ro .|o.o
t|o v|.tJ.| n.c||ro s|cJ|J bo p|.coJ boc.Jso
t|onso|vos c.rrct bo .ss|groJ .c|os, ycJ n.r.go p.|v||ogos
|c. |rJ|.oct|y t|.cJg| t|o p..ort J.t.corto.
+cJ Jc rct rooJ tc .ss|gr t|o |o.JOr|y .c|o || ycJ |.vo
.ss|groJ .ry c| t|o ct|o. p.|v||ogos .t t|o J.t.corto. |ovo|
\|orovo. .ry .c|o ct|o. t|.r |c Accoss |s .ss|groJ |c. t|o
J.t.corto., t|o Jso. .Jtcn.t|c.||y gots .o.Jcr|y po.n|s
s|crs cr t|o J.t.corto. cb¦oct Sc, |c.|o, || ycJ .ss|gr
Virtual Machine > Inventory > Create .t t|o J.t.corto.
|ovo|, t|o .JJ|t|cr.| |o.JOr|y .c|o .ss|grnort .cJ|J bo
• Propagation — || ycJ oxp||c|t|y .ss|groJ t|o |o.JOr|y .c|o
tc . J.t.corto., t|.t Jcos rct rooJ tc boycrJ t|o
J.t.corto. ,Jc.r tc |c|Jo.s, |csts, c|Jsto.s, pcc|s, c.
v|.tJ.| n.c||ros) |c.ovo., || ycJ .pp|y t|o |o.JOr|y .c|o tc
. |c|Jo. ccrt.|r|rg t|o J.t.corto., ycJ nJst or.b|o p.cp.g.
t|cr |c. t|.t .c|o tc .o.c| t|o J.t.corto. cb¦oct boc.Jso t|o
Jopt| c| p.cp.g.t|cr c.rrct bo spoc|||oJ, t||s sott|rg g|vos
t|o Jso. .o.Jcr|y p.|v||ogos cr ovo.y cb¦oct |r t|o J.t.corto.
|r t||s, ycJ c.r Jso t|o |c Accoss .c|o tc cb¦octs
t|.t s|cJ|J rct bo v|s|b|o tc t|o Jso.
• Disk management — ¯|o p.|v||ogo Virtual Machine >
Configuration > Add New Disk .||c.s t|o Jso. tc .
ro. v|.tJ.| J|sk |||o cr . ccrt.|roJ |r t|o spoc|||oJ
J.t.corto. c. |r t|o J.t.corto. |r .||c| t|o spoc|||oJ v|.tJ.|
n.c||ro |c|Jo. |s |cc.toJ ¯|o p.|v||ogo Virtual Machine
> Configuration > Raw Device |s rocoss..y cr|y || .r
||V vc|Jno .||| bo JsoJ tc stc.o t|o |rto.r.| J|sk |c. t|o
v|.tJ.| n.c||ro S|n||..|y, t|o p.|v||ogo Virtual Machine >
Configuration > Add Existing Disk |s rc.n.||y rct rocos
s..y, boc.Jso |r ncst c.sos . ro. v|.tJ.| J|sk |s c.o.toJ .|or
scnocro c.o.tos . v|.tJ.| n.c||ro |c.ovo., t||s p.|v||ogo |s
rooJoJ |r t|o |c||c.|rg s|tJ.t|crs
• |s|rg . v|.tJ.| J|sk |.cn .rct|o. \V...o p.cJJct ,sJc|
.s \V...o \c.kst.t|cr)
Privilege Object
Virtual Machine > Inventory >
A Jost|r.t|cr |c|Jo. c| v|.tJ.| n.c||ros |r t|o J.t.corto., . |c|Jo. ccrt.|r|rg . J.t.corto., c. t|o J.t.corto.
|tso|| || ycJ Jc rct Jso |c|Jo.b.soJ c.g.r|..t|cr
|o,J|.oJ |c. .ry v|.tJ.| n.c||ro c.o.t|cr
Virtual Machine >
Configuration > Add New Disk
A Jost|r.t|cr |c|Jo. c| v|.tJ.| n.c||ros |r t|o J.t.corto., . |c|Jo. ccrt.|r|rg . J.t.corto., c. t|o J.t.corto.
|tso|| || ycJ Jc rct Jso |c|Jo.b.soJ c.g.r|..t|cr
Or|y || |rc|JJ|rg . v|.tJ.| J|sk Jov|co t|.t c.o.tos . ro. v|.tJ.| J|sk |||o ,rct ||V)
Note: ¯||s p.|v||ogo c. AJJ |x|st|rg ||sk .o,J|.oJ |c. .ry v|.tJ.| n.c||ro c.o.t|cr
Virtual Machine >
Configuration > Add Existing
A Jost|r.t|cr |c|Jo. c| v|.tJ.| n.c||ros |r t|o J.t.corto., . |c|Jo. ccrt.|r|rg . J.t.corto., c. t|o J.t.corto.
|tso|| || ycJ Jc rct Jso |c|Jo.b.soJ c.g.r|..t|cr
Or|y || |rc|JJ|rg . v|.tJ.| J|sk Jov|co t|.t .o|o.s tc .r ox|st|rg v|.tJ.| J|sk |||o ,rct ||V)
Note: ¯||s p.|v||ogo c. AJJ |o. ||sk .o,J|.oJ |c. .ry v|.tJ.| n.c||ro c.o.t|cr
Virtual Machine >
Configuration > Raw Device
A Jost|r.t|cr |c|Jo. c| v|.tJ.| n.c||ros |r t|o J.t.corto., . |c|Jo. ccrt.|r|rg . J.t.corto., c. t|o J.t.corto.
|tso|| || ycJ Jc rct Jso |c|Jo.b.soJ c.g.r|..t|cr
Or|y || |rc|JJ|rg . ... Jov|co n.pp|rg ,||V) c. S´S| p.sst|.cJg| Jov|co |c. Jso by t|o v|.tJ.| n.c||ro
Resource > Assign VM to
Resource Pool
A Jost|r.t|cr pcc|, |cst, c. c|Jsto.
Read-Only role ¯|o J.t.corto. t|.t ccrt.|rs t|o cr .||c| t|o v|.tJ.| n.c||ro .||| .os|Jo c. . |c|Jo. ccrt.|r|rg t|o
J.t.corto. |.cp.g.t|cr Jcos rct |.vo tc bo or.b|oJ |c. t|o J.t.corto., bJt |t nJst bo or.b|oJ |c. . |c|Jo.
Table 2 — Privileges needed for creating a virtual machine

• |s|rg . v|.tJ.| J|sk c.o.toJ by . t||.Jp..ty p.cJJct t|.t
|npc.ts . p|ys|c.| n.c||ro ccr||gJ..t|cr |rtc . v|.tJ.|
• |s|rg . v|.tJ.| J|sk t|.t ..s n.rJ.||y ccp|oJ |.cn
.rct|o. J.t.corto. c.
|r .|| t|oso c.sos, t|o ox|st|rg J|sk |||o s|cJ|J bo cr . J.t.
stc.o ccrt.|roJ |r t|o J.t.corto. .|o.o t|o v|.tJ.| n.c||ro
.||| bo c.o.toJ
• resource pools — \|or ycJ .pp|y t|o p.|v||ogo Resource
> Assign VM to Resource Pool, bo ....o t|.t t|o cb¦oct
ncJo| c| \V...o |r| 3 Jsos pcc|s .s
cb¦octs t|.t p..t|t|cr ccnpJto .oscJ.cos, sJc| .s nonc.y
.rJ ´|| |c.n.||y, . pcc| |s Jo||roJ oxp||c|t|y .s
scno pc.t|cr c| t|o .oscJ.cos .v.||.b|o cr cro |cst c. .
c|Jsto. c| |csts |c.ovo., || rc oxp||c|t pcc|s ..o
Jo||roJ, o.c| |cst c. c|Jsto. |s ccrs|Jo.oJ tc |.vo |ts c.r
|np||c|t pcc| t|.t g.cJps t|o .oscJ.cos c| t|.t |cst
c. c|Jsto. ¯|o .cct pcc| |s rct J|sp|.yoJ boc.Jso t|o
.oscJ.cos c| t|o |cst ,c. c|Jsto.) .rJ t|o .cct pcc|
..o .|..ys t|o ¯|o.o|c.o, || t|o.o |s rc r.noJ
pcc| |rtc .||c| t|o v|.tJ.| n.c||ro |s tc bo Jop|cyoJ, ycJ
nJst .ss|gr t||s p.|v||ogo |c. t|o Jost|r.t|cr |cst c. c|Jsto. ||
. Jso. Jcos rct |c|J t||s p.|v||ogo ,by v|.tJo c| t||s c. scno
ct|o. .c|o) cr .ry r.noJ pcc|, |cst, c. c|Jsto., t|.t
Jso. c.rrct . v|.tJ.| n.c||ro
• Operating system deployment — ¯|o|o p.osortoJ
|o.o ||sts t|o n|r|nJn p.|v||ogos rooJoJ tc . ro.
v|.tJ.| n.c||ro ¯|o roxt . Jso. |s ||ko|y tc po.|c.n |s
tc Jop|cy .r cpo..t|rg syston crtc t|o ro., b|.rk v|.tJ.|
n.c||ro +cJ rooJ tc g..rJ .pp.cp.|.to p.|v||ogos |c. t||s ¯|o spoc|||c p.|v||ogos JoporJ cr |c. ycJ. Jso.s Jop|cy
cpo..t|rg systons |c.|o, || t|oy Jop|cy t|o cpo..t
|rg syston |.cn .r |SO |n.go cr s|..oJ stc..go, .ss|gr
Datastore > Browse Datastore |c. t|o J.t.corto. || t|oy
Jop|cy t|o cpo..t|rg syston |.cn .r |SO |n.go cr . |cc.|
J|sk cr t|o |cst, .ss|gr Datastore > Browse Datastore
|c. bct| t|o J.t.corto. .rJ t|o |cst || t|oy Jop|cy t|o
cpo..t|rg syston |.cn . p|ys|c.| ´|, p.|v||ogos ..o
rct rooJoJ |r .|| c| t|oso c.sos, ncst c| t|o p.|v||ogos |r
Virtual Machine > Configuration .rJ Virtual Machine >
Interaction ..o rooJoJ tc Jop|cy .rJ ccr||gJ.o t|o cpo..t
|rg syston cr t|o v|.tJ.| n.c||ro
Inventory Manipulation
¯.b|o 3 s|c.s|os c| t.sks t|.t .||oct t|o c.g.r|..t|cr c|
ccnpJto .oscJ.cos |r t|o cvo..|| \V...o |r| 3 |rvor
tc.y .rJ p.|v||ogos .o,J|.oJ |c. o.c| cro
Networking, Storage, and Host Maintenance
¯|o.o ..o co.t.|r p.|v||ogos t|.t po.t.|r spoc|||c.||y tc t|o
ccr||gJ..t|cr c| rot.c.k|rg .rJ stc..go v|.tJ.||..t|cr |r bct|
c.sos, \V...o |r| 3 n.|rt.|rs . |cstcort.|c v|o. c|
t|o .oscJ.cos, .rJ t|o p.|v||ogos ..o Jo||roJ cr . po.|cst b.s|s
|| ycJ t.ko .Jv.rt.go c| p.|v||ogo p.cp.g.t|cr, t|oso p.|v||ogos
c.r bo .ss|groJ .t . ||g|o. |ovo|, sJc| .s c|Jsto. c. |c|Jo., .rJ
t|oy t|or .pp|y tc .|| ccrt.|roJ |csts
boc.Jso scno c| t|oso p.|v||ogos .ctJ.||y or.b|o . |..go
rJnbo. c| t.sks, |t |s |npc.t.rt tc ox.ct|y .|.t
.ct|crs ..o po.n|ttoJ |c. . Jso. |c|J|rg . .c|o t|.t ccrt.|rs
t|oso p.|v||ogos ¯.b|o 4 cr p.go 8|Jos . ||st c| rot.c.k|rg
.rJ stc..go.o|.toJ p.|v||ogos .rJ t|o spoc|||c c.p.b|||t|os t|.t
t|oy .||c. \|t||r .r |rJ|v|JJ.| p.|v||ogo, |t |s rct pcss|b|o tc
J|s.||c. scno c| t|oso t.sks .|||o .||c.|rg ct|o.s, t|o |ovo| c|
g..rJ|..|ty |r \V...o |r| 3 .||c.s ycJ tc .sscc|.to
o|t|o. .|| c. rcro c| t|on .|t| . .c|o ¯|o.o|c.o, ycJ nJst bo
Task Required Privileges
V| . v|.tJ.| n.c||ro Resource > Migrate || t|o v|.tJ.| n.c||ro |s pc.o.oJ cr c. Resource > Relocate || t|o v|.tJ.| n.c||ro |s
pc.o.oJ c|| A|sc .o,J|.os Resource > Assign Virtual Machine to Resource Pool || Jost|r.t|cr |s . J|||o.ort pcc| |.cn t|o
Vcvo . |cst |rtc . |c|Jo. Host > Inventory > Modify Cluster cr t|o c|Jsto., Host > Inventory > Move Host cr t|o |cst, .rJ
Host > Inventory > Add Standalone Host cr t|o |c|Jo.
Vcvo . v|.tJ.| n.c||ro, st.rJ
.|cro |cst, |c|Jo., c|Jsto. c.
J.t.corto. |rtc . |c|Jo.
Folder > Move || t|o cb¦oct |s . |c|Jo., Datacenter > Move || t|o cb¦oct |s . J.t.corto., Host > Inventory >
Move Cluster/Standalone Host || t|o cb¦oct |s . c|Jsto. c. st.rJ.|cro |cst, Virtual Machine > Inventory >
Move || t|o cb¦oct |s . v|.tJ.| n.c||ro c. v|.tJ.| n.c||ro tonp|.to ¯|oso p.|v||ogos ..o c|ockoJ .g.|rst t|o, Jost|r.t|cr, .rJ cb¦oct bo|rg ncvoJ
Vcvo . sot c| pcc|s
c. v|.tJ.| n.c||ros |rtc . pcc|
|| t|o cb¦oct bo|rg ncvoJ |s . pcc|, Resource > Move Pool nJst bo |o|J cr t|o pcc| bo|rg ncvoJ,
|ts | p..ort pcc|, .rJ t|o pcc| || t|o cb¦oct |s . v|.tJ.| n.c||ro, Resource > Assign Virtual
Machine to Resource Pool nJst bo |o|J cr t|o pcc| .rJ t|o v|.tJ.| n.c||ro
|oncvo .|| c|||J pcc|s ¯|o Resource > Remove Pool p.|v||ogo nJst bo |o|J cr t|o p..ort .rJ o.c| c| |ts |nnoJ|.to c|||J.or tc bo
.oncvoJ ¯|o Resource > Assign Virtual Machine to Resource Pool p.|v||ogo nJst bo |o|J cr t|o p..ort pcc| .s .o|| .s cr t|o v|.tJ.| n.c||ro
Table 3 — Tasks that required coordinated privileges on multiple objects
ccn|c.t.b|o .|t| g..rt|rg ovo.y cro c| t|cso .b|||t|os tc .ry
pctort|.| |c|Jo. c| . .c|o t|.t ccrt.|rs t|o p.|v||ogo
¯.b|o 4 .|sc |rc|JJos scno p.|v||ogos .o|.toJ tc t|o ccr||gJ..
t|cr .rJ n.|rtor.rco c| t|o |S` So.vo. |cst As .|t| t|o
rot.c.k|rg .rJ stc..go p.|v||ogos, n.ko sJ.o t|.t Jso.s c.
g.cJps .ss|groJ tc . .c|o ccrt.|r|rg cro c| t|oso p.|v||ogos ..o
.Jt|c.|.oJ tc po.|c.n .|| t|o .ct|crs t|o p.|v||ogo or.b|os t|on
tc po.|c.n
Creating Custom roles
¯|o Jso c.sos Josc.|boJ |r t||s soct|cr |||Jst..tos t|o p.ccoss
c| so|oct|rg .rJ Jo||r|rg t|o p.|v||ogos .o,J|.oJ tc ccnp|oto . |.cn st..t tc ||r|s|
Example: Allowing Template Deployment to a Resource
SJppcso t|.t ycJ ..rt tc or.b|o scno Jso.s tc ro.
v|.tJ.| n.c||ros |.cn ox|st|rg tonp|.tos .rJ Jop|cy t|cso
v|.tJ.| n.c||ros |rtc . spoc|||c pcc| +cJ n|g|t ..rt
tc Jc t||s, |c.|o, |r . Jovo|cpnort orv|.crnort .|o.o
ycJ ..rt Jovo|cpo.s tc bo .b|o tc .c.k .|t| v|.tJ.| n.c||ros
c| . ||xoJ typo .rJ ..rt tc or.b|o t|on tc .s n.ry .s
rooJoJ |c. t|o|. Jovo|cpnort .c.k || ycJ .||c. t|oso v|.tJ.|
n.c||ros tc .Jr cr|y |r . spoc|||oJ pcc|, ycJ c.r
oxo.c|so ||ro.g..|roJ ccrt.c| cvo. t|o so.vo. .oscJ.cos JsoJ
by t|o Jovo|cpo.s |c.|o, ycJ c.r Jso ||n|ts tc c.p t|o
.ncJrt c| ´|| c. nonc.y JsoJ by .|| t|o Jovo|cpo. v|.tJ.|
n.c||ros, c. ycJ c.r Jso s|..os tc orsJ.o t|.t .oscJ.cos JsoJ
by t|oso v|.tJ.| n.c||ros ..o .otJ.roJ tc ct|o., nc.o n|ss|cr
c.|t|c.| pcc|s .|or rooJoJ
Privilege Allowed actions
Host > Configuration > Network
• AJJ, .oncvo, c. t|o |c||c.|rg pc.t g.cJps, v|.tJ.| |t|o.rot .J.pto.s, v|.tJ.| s.|tc|os, .rJ so.v|co
ccrsc|o v|.tJ.| |t|o.rot .J.pto.s
• | t|o |c||c.|rg || .cJt|rg |c. t|o |cst, || .cJt|rg |c. t|o so.v|co ccrsc|o, ||S ccr||gJ..t|cr |c. t|o
|cst, ||rk spooJ .rJ JJp|ox sott|rgs |c. t|o p|ys|c.| |t|o.rot .J.pto.s
• |ost..t t|o so.v|co ccrsc|o v|.tJ.| rot.c.k .J.pto. |rto.|.co
Host > Configuration > Storage
Partition Configuration
• |r.b|o, J|s.b|o, c. ccr||gJ.o pc||c|os |c. nJ|t|p.t||rg cr . |||
• |osc.r scno c. .|| |bAs cr v|.tJ.| n.c||ros |c. ro. c. .oncvoJ stc..go Jov|cos
• |osc.r |c. ro. c. .oncvoJ \V|S vc|Jnos
• |xtorJ . \V|S vc|Jno by .tt.c||rg . J|sk p..t|t|cr .s .r oxtort
• |c.n.t . ro. \V|S vc|Jno cr . ||| c. J|sk p..t|t|cr
• ´|.rgo t|o p..t|t|crs cr t|o J|sk
• AJJ .rJ .oncvo sorJ ort.|os .rJ st.t|c ort.|os tc t|o |cst bJs .J.pto. J|sccvo.y ||st
• |r.b|o c. J|s.b|o t|o |S´S| sc|t...o |r|t|.tc.
• | t|o |c||c.|rg cr .r |S´S| |cst bJs .J.pto., .||.s, .Jt|ort|c.t|cr p.cpo.t|os, || p.cpo.t|os,
J|sccvo.y p.cpo.t|os
Datastore > Browse Datastore • t|o |||os cr ., |c.|o, tc so..c| |c. . v|.tJ.| n.c||ro ,vnx) |||o c. |SO |n.go |||o
VJst bo g..rtoJ .t t|o J.t.corto. |ovo| |c. . s|..oJ, .rJ .t bct| t|o J.t.corto. .rJ |cst |ovo|
|c. . |cc.| J|sk
Datastore > Rename File • | . ,rcto |rccrs|storcy c| r.n|rg)
Datastore > Remove File • |o|oto . |||o |.cn . || . v.||J v|.tJ.| J|sk |||o |s spoc|||oJ, .|| t|o ccnpcrorts c| t|o v|.tJ.| J|sk
..o Jo|otoJ
Host > Configuration >
• |Jt . |cst |rtc c. cJt c| n.|rtor.rco ncJo
• |obcct . |cst
• S|Jt Jc.r . |cst
Host > Configuration > Security
Profile and Firewall
• |r.b|o .rJ J|s.b|o rot.c.k so.v|cos cr . |cst ,by cpor|rg c. c|cs|rg t|o cc..ospcrJ|rg pc.t |r t|o
• ´cr||gJ.o t|o st..tJp pc||cy |c. t|o so.v|cos
• V.rJ.||y st..t c. stcp t|o so.v|cos
Table 4 — Actions enabled by networking, storage, and host maintenance privileges
Oro ..y tc .pp.c.c| t||s |s tc . ro. Jso.Jo||roJ .c|o
c.||oJ |ovo|cpo. .rJ sot t|o n|r|nJn p.|v||ogos rocoss..y |c.
. Jso. .|t| t|.t .c|o tc .cccnp||s| t|oso t.sks ¯.b|o 5 s|c.s
.||c| p.|v||ogos ycJ nJst or.b|o |c. t||s Jso
Privilege Object
Virtual Machine > Inventory >
A Jost|r.t|cr |c|Jo. |r t|o J.t.
corto., c. t|o J.t.corto. |tso||
|| ycJ Jc rct Jso |c|Jo.b.soJ
|| rct .pp||oJ cr t|o J.t.corto.,
ycJ nJst .|sc g..rt t|o Jso.
Read-Only cr t|o J.t.corto.|y
Virtual Machine >
Configuration > Add New Disk
A Jost|r.t|cr |c|Jo. |r t|o J.t.
corto., c. t|o J.t.corto. |tso||
|| ycJ Jc rct Jso |c|Jo.b.soJ
A|t|cJg| t||s p.|v||ogo |s
.o,J|.oJ || Js|rg t|o \|.tJ.|
|r| ´||ort, |t |s rct roc
oss..y c| t|o cJstcn .c|o |s
bo|rg JsoJ by .r S|| c||ort
Virtual Machine > Provisioning
> Deploy Template
A tonp|.to c. |c|Jo. c| tonp|.tos
|r t|o J.t.corto.
Resource > Assign VM to
Resource Pool
A Jost|r.t|cr pcc|, |cst,
c. c|Jsto.
Virtual Machine > Interaction A Jost|r.t|cr pcc|, |cst
c. c|Jsto.
Table 5 — Privileges used in creating a Developer role
A|t|cJg| t|o p.|v||ogo Virtual Machine > Configuration
> Add New Disk |s .|..ys .o,J|.oJ .|or c.o.t|rg . ro.
v|.tJ.| n.c||ro, t|o \| ´||ort .|sc .o,J|.os t||s p.|v||ogo |c.
Jop|cy|rg . v|.tJ.| n.c||ro |.cn . tonp|.to .rJ |c. c|cr|rg .
v|.tJ.| n.c||ro ¯||s .o,J|.onort |s Jr|,Jo tc t|o \| ´||ort, t|o
p.|v||ogo |s rct .o,J|.oJ |c. .r S|| c||ort t|.t t.|os tc Jop|cy .
tonp|.to c. c|cro . v|.tJ.| n.c||ro
Example: Network Administrator
A cJstcn .c|o .cJ|J .|sc bo Jso|J| |c. .r c.g.r|..t|cr |r
.||c| g.cJps ..o .ospcrs|b|o |c. n.r.g|rg so.vo.s
.rJ rot.c.ks ¯|o rot.c.k|rg to.n |.s t..J|t|cr.||y n.r.goJ
. J|sc.oto sot c| p|ys|c.| rot.c.k|rg o,J|pnort |r . \V...o
|r| orv|.crnort, |c.ovo., t|oy n.y rooJ tc t.ko
.ospcrs|b|||ty |c. t|o v|.tJ.| rot.c.k|rg t|.t .Jrs |r sc|t...o cr
t|o |S` So.vo. |csts
A .c|o |c. rot.c.k .Jn|r| n|g|t g|vo t|on t|o p.|v||ogo
rooJoJ tc .JJ, .oncvo, .rJ ccr||gJ.o v|.tJ.| s.|tc|os cr .r
|S` So.vo. |cst — c. . g.cJp c| |csts, o|t|o. |r . |c|Jo. c. |r .
J.t.corto. ¯.b|o 6 s|c.s t|o p.|v||ogo rooJoJ |c. t||s .c|o ||
ycJ .pp|y t||s p.|v||ogo .t t|o c|Jsto., |c|Jo., c. J.t.corto. |ovo|,
n.ko sJ.o t|.t p.cp.g.t|cr |s or.b|oJ
Privilege Object
Host > Configuration >
A|| |csts .|cso rot.c.ks ..o
tc bo n.r.goJ by t|o rot.c.k
.Jn|r|, c. t|o |c|Jo. c.
J.t.corto. ccrt.|r|rg t|oso
|csts, .|t| p.cp.g.t|cr or.b|oJ
Table 6 — Privilege required for Network Administrator role
A|t|cJg| Jso.s .ss|groJ t||s .c|o ..o .b|o tc v|o. ccr||gJ..
t|crs |c. .oscJ.cos ct|o. t|.r rot.c.k s.|tc|os, t|oy Jc rct
|.vo po.n|ss|crs tc c|.rgo .ryt||rg oxcopt rot.c.k sott|rgs
¯||s .c|o t|Js cc..ospcrJs .cJg||y tc t|o .ct|v|t|os t|.t ..o
rc.n.||y |.rJ|oJ by . rot.c.k .Jn|r|

Example: VMware Consolidated Backup User
\V...o ´crsc||J.toJ b.ckJp |s . p.cJJct t|.t |o|ps tc
po.|c.n b.ckJps c| v|.tJ.| n.c||ros |r . \|.tJ.| |r|
3 orv|.crnort |.cn . JoJ|c.toJ p.cxy |cst Js|rg t|o \V...o|ct toc|r|,Jo .rJ |rJJst.yst.rJ..J b.ckJp sc|t...o
¯|o p.cxy |cst ccrrocts tc \|.tJ.|´orto. Js|rg . spoc|.| Jso.
.cccJrt |r c.Jo. tc po.|c.n t|o|cts .rJ ct|o. .o|.toJ
t.sks +cJ c.r . .c|o t|.t ccrt.|rs cr|y t|o p.|v||ogos
rocoss..y |c. t||s pJ.pcso .rJ .ss|gr |t tc t|o spoc|.| Jso.
.cccJrt ¯.b|o ccrt.|rs t|o ||st c| p.|v||ogos .rJ t|o cb¦octs
tc .||c| t|oy s|cJ|J bo .pp||oJ
Privilege Object
Virtual Machine >
Configuration > Disk Lease
¯|o v|.tJ.| n.c||ros tc bo
b.ckoJ Jp, . |c|Jo. c| v|.tJ.|
n.c||ros, c. t|o J.t.corto. ccr
t.|r|rg t|o v|.tJ.| n.c||ros
Virtual Machine > State >
Create Snapshot
¯|o v|.tJ.| n.c||ros tc bo
b.ckoJ Jp, . |c|Jo. c| v|.tJ.|
n.c||ros, c. t|o J.t.corto. ccr
t.|r|rg t|o v|.tJ.| n.c||ros
Virtual Machine > State >
Remove Snapshot
¯|o v|.tJ.| n.c||ros tc bo
b.ckoJ Jp, . |c|Jo. c| v|.tJ.|
n.c||ros, c. t|o J.t.corto. ccr
t.|r|rg t|o v|.tJ.| n.c||ros
Virtual Machine > Provisioning
> Allow Virtual Machine
¯|o v|.tJ.| n.c||ros tc bo
b.ckoJ Jp, . |c|Jo. c| v|.tJ.|
n.c||ros, c. t|o J.t.corto. ccr
t.|r|rg t|o v|.tJ.| n.c||ros
Table 7 — Privilege required for VMware Consolidated Backup user
recommendations for VirtualCenter roles
¯c n.ko ncst o||oct|vo Jso c| .c|os |r \|.tJ.|´orto., |c||c.
t|oso gJ|Jo||ros
• |os|gr t|o .c|os .|t| t|o rct|cr t|.t \|.tJ.|´orto. s|cJ|J
bo t.o.toJ .s .r .Jn|r|st..t|cr tcc|, rct . goro..|pJ.pcso c| g.|r|rg .ccoss tc v|.tJ.| n.c||ros |r p..t|cJ|..
• by Jo|.J|t, .|| Jso.s .|c ..o rct .ss|groJ tc . .c|o .rJ
Jc rct bo|crg tc g.cJp .ss|groJ tc . .c|o |.vo t|o
o,J|v.|ort c| No Access .t t|o tcp|ovo| |csts .rJ
´|Jsto.s |c|Jo. ¯||s p.ovorts Jr.Jt|c.|.oJ Jso.s |.cn
|cgg|rg |r tc \|.tJ.|´orto., or|.rc|rg socJ.|ty .rJ
.vc|J|rg |rc.o.soJ |c.J cr \|.tJ.|´orto. c.JsoJ by .r
oxcoss|vo rJnbo. c| \| ´||ort soss|crs +cJ s|cJ|J .ss|gr
tc .c|os cr|y t|cso spoc|||c Jso.s .rJ g.cJps t|.t nJst
po.|c.n .Jn|r|st..t|vo t.sks |c. \V...o |r|,
.rJ ycJ s|cJ|J .ss|gr t|cso .c|os cr|y |c. .o|ov.rt
cb¦octs |r t|o |rvortc.y
• O.J|r..y Jso.s s|cJ|J rct Jso t|o \V...o v|.tJ.|
n.c||ro ccrsc|o tc .ccoss v|.tJ.| n.c||ros |rsto.J,
t|oy s|cJ|J Jso . st.rJ..J .oncto .ccoss tcc|, sJc| .s
|oncto |osktcp, |AJn|r, c. SS| |vor |c. Jso.s .|c
n|g|t ..rt tc n.r.go p..ts c| t|o v|.tJ.| |r|,
.oncto ccrsc|o .ccoss s|cJ|J bo st.|ct|y ccrt.c||oJ, |c.
bct| socJ.|ty .rJ .JJ|t|rg pJ.pcsos ¯||s |s .r.|cgcJs
tc ccrt.c|||rg .ccoss tc t|o |rtog..toJ ||g|tscJt ccrsc|o
cr . p|ys|c.| so.vo. +cJ c.r J|s.b|o v|.tJ.| n.c||ro
ccrsc|o .ccoss by .oncv|rg t|o p.|v||ogo Virtual
Machine > Interaction > Console Interaction |c. .
• \|.tJ.|´orto. .Jrs .s . Jso. t|.t .o,J|.os |cc.| .Jn|r|st..
tc. p.|v||ogo .rJ nJst bo |rst.||oJ by . |cc.| .Jn|r|st..t|vo
Jso. |c.ovo., tc ||n|t t|o sccpo c| .Jn|r|st..t|vo .ccoss,
.vc|J Js|rg t|o \|rJc.s AJn|r| Jso. tc
\|.tJ.|´orto. .|to. ycJ |rst.|| |t |rsto.J, Jso . JoJ|c.toJ
\|.tJ.|´orto. .Jn|r| .cccJrt ¯c Jc sc, t.ko t|o |c||c.
|rg stops
1 ´ .r c.J|r..y Jso. .cccJrt t|.t .||| bo JsoJ tc
n.r.go \|.tJ.|´orto., |c.|o, t|o \| AJn|r Jso.
V.ko sJ.o t|.t t||s Jso. Jcos rct bo|crg tc .ry |cc.|
g.cJps, sJc| .s |so.s c. AJn|r| ¯||s p.oc.Jt|cr
orsJ.os t|.t .ry |JtJ.o .c|o .ss|grnorts |rvc|v|rg . |cc.|
g.cJp Jcos rct |r.Jvo.tort|y .||oct t||s .cccJrt
2 |r \|.tJ.|´orto., |cg cr .s t|o \|rJc.s AJn|r|,
t|or g..rt t|o .c|o c| AJn|r| ,t|.t |s, t|o g|cb.|
\|.tJ.|´orto. .Jn|r| tc t|o ro.|y c.o.toJ
.cccJrt cr t|o tcp|ovo| |csts .rJ ´|Jsto.s |c|Jo.
3 |cg cJt c| \|.tJ.|´orto., t|or n.ko sJ.o ycJ c.r |cg |r
tc \|.tJ.|´orto. .s t|o ro. Jso. .rJ t|.t t||s Jso. |s .b|o
tc po.|c.n .|| t.sks .v.||.b|o tc . \|.tJ.|´orto. .Jn|r|s
4 |oncvo t|o po.n|ss|crs |r \|.tJ.|´orto. |c. t|o |cc.|
AJn|r| g.cJp
by ccr||gJ.|rg .cccJrts |r t||s ..y, ycJ .vc|J .Jtcn.t|c.||y
g|v|rg .Jn|r|st..t|vo .ccoss tc Jcn.|r .Jn|r|, .|c
typ|c.||y bo|crg tc t|o |cc.| AJn|r| g.cJp +cJ .|sc|Jo . ..y c| gott|rg |rtc \|.tJ.|´orto. .|or t|o Jcn.|r
ccrt.c||o. |s Jc.r, boc.Jso t|o |cc.| \|.tJ.|´orto. .Jn|r|st..
tc. .cccJrt Jcos rct .o,J|.o .oncto .Jt|ort|c.t|cr
• A|t|cJg| |t |s pcss|b|o tc oJ|t t|o bJ||t|r|o .c|os ,rct
t|o syston .c|os), Jc rct ncJ||y t|on |rsto.J, c|cro ro.
.c|os |.cn t|on, t|or ncJ||y t|o c|croJ .c|os ¯||s .pp.c.c|
.||c.s ycJ tc .o|o. tc t|o c.|g|r.||o .c|os || ycJ ..rt tc
.c|| c|.rgos ycJ |.vo n.Jo tc t|on
• ¯.y tc Jo||ro . .c|o Js|rg t|o sn.||ost rJnbo. c| p.|v||ogos
pcss|b|o, sc t|.t socJ.|ty .rJ ccrt.c| cvo. ycJ. orv|.crnort
c.r bo n.x|n|.oJ |r t|o v|.tJ.| n.c||ro c.o.t|cr|o,
t|o n|r|nJn rJnbo. c| p.|v||ogos .o,J|.oJ tc or.b|o v|.tJ.|
n.c||ro c.o.t|cr |s t|.oo
• Virtual Machine > Inventory > Create
• Virtual Machine > Configuration > Add New Disk
• Resource > Assign VM to Resource Pool
• boc.Jso t|o .c|o c.r bo .pp||oJ tc .ry \V...o
|r| 3 cb¦oct, cro ..y tc orsJ.o t|.t t|o |o.ost
p.|v||ogos ..o g..rtoJ |s tc nJ|t|p|o .c|os, o.c| c|
.||c| |s t..gotoJ .t . spoc|||c sot c| t.sks, t|or g..rt o.c|
Jso. c. g.cJp t|o .pp.cp.|.to .c|o cr t|o .pp.cp.|.to cb¦oct
|c.|o, |r t|o c| t|o cJstcn |ovo|cpo. .c|o, ycJ
c.r c|ccso tc sp||t t||s .c.css t|.oo .c|os
• Deploy Template — Oro .c|o .||c.s cr|y Jop|cynort
|.cn . tonp|.to
• Create Virtual Machine — Arct|o. .c|o .||c.s c.o.t|cr
c| . v|.tJ.| n.c||ro .rJ v|.tJ.| J|sk |r . J.t.corto. c.
• Interact with Virtual Machine — ¯|o t||.J .c|o .||c.s
.ss|gr|rg . v|.tJ.| n.c||ro tc . pcc| .rJ |rto.
.ct|cr .|t| . v|.tJ.| n.c||ro
¯|or ycJ c.r g..rt . Jso. t|o |op|cy ¯onp|.to .c|o cr
tonp|.to |c|Jo. bJ||JA, t|o ´ \|.tJ.| V.c||ro .c|o cr
J.t.corto. |.st, .rJ t|o |rto..ct .|t| \|.tJ.| V.c||ro .c|o cr pcc| |ov
• As . cc.c||..y tc t|o p.ov|cJs gJ|Jo||ro, rcto t|.t ycJ c.r
g..rt cr|y cro oxp||c|t .c|o tc . Jso. cr . v|.tJ.| n.c||ro, bJt
t.c J|||o.ort .c|os n|g|t .pp|y |np||c|t|y t|.cJg| p.cp.g.
t|cr |r t|o|o g|vor .bcvo, ycJ c.r .pp|y t|o ´
\|.tJ.| V.c||ro .c|o tc . |c|Jo. .rJ .|sc .pp|y t|o |rto..ct
.|t| \|.tJ.| V.c||ro .c|o tc . pcc| ¯|o Jso. t|or
|.s . Jr|cr c| t|oso p.|v||ogos cr .ry v|.tJ.| n.c||ro t|.t
|s |r t|o |c|Jo. .s .o|| .s |r t|o pcc| ¯||s,
|c.|o, t|.t || ycJ ..rt tc .||c. . Jso. tc bct| .
v|.tJ.| n.c||ro .rJ |rto..ct .|t| |t, .|t|cJt JoporJ|rg cr
|rJ|.oct p.|v||ogos t|.cJg| p.cp.g.t|cr, ycJ nJst Jso . .c|o
t|.t ccnb|ros t|o t.c sots c| p.|v||ogos
• ¯.y tc g|vo t|o .c|os r.nos t|.t oxp||c|t|y |rJ| .|.t o.c|
.c|o .||c.s, tc n.ko t|o|. pJ.pcsos c|o.. ¯|o|os .bcvo
||| t||s pc|rt
• |so |c|Jo.s tc ccrt.|r t|o sccpo c| po.n|ss|crs |c.|o,
|| ycJ ..rt tc ||n|t t|o tonp|.tos |.cn .||c| Jso.s c.r
Jop|cy ro. v|.tJ.| n.c||ros, ycJ c.r pJt t|o .||c.oJ ton
p|.tos |rtc . |c|Jo., t|or .pp|y t|o |op|cy ¯onp|.to .c|o cr
t||s |c|Jo. |c. t|o Jso.s
• boc.Jso c| nonbo.s||p |r J|||o.ort g.cJps, .rJ t|o Jr|cr
c| p.|v||ogos |r|o.|toJ |.cn t|on, |t n|g|t rct .|..ys bo
cbv|cJs .|.t p.|v||ogos ..o g..rtoJ tc . Jso. cr .r cb¦oct
|c.ovo., Act|vo ||.octc.y Jcos rct .||c. t|o |rspoct|cr c| .
Jso.’s g.cJp nonbo.s||ps Jr|oss t|o Jso. |s |cggoJ |r Oro
..y ..cJrJ t||s .ost.|ct|cr |s tc |rspoct .|| t|o .c|o .ss|gr
norts cr .|| cb¦octs, t|or c.css.o|o.orco t|on .|t| . krc.r
||st c| g.cJp nonbo.s||ps c| Jso.s ¯|o \| ´||ort .||c.s ycJ
tc soo t|o .c|os .ss|groJ |c. cb¦octs |rJ|v|JJ.||y, bJt by Js|rg
t|o \V...o |r| S||, ycJ c.r cbt.|r t||s |r|c.n.
t|cr |c. .|| cb¦octs .t crco |r . nc.o st..|g|t|c....J n.rro.
ApporJ|x A s|c.s .r|o c| . |o.| sc.|pt t|.t Jsos t|o
\| |o.| ¯cc|k|t .rJ goro..tos . ||st c| cb¦octs .|t| t|o .c|os
.ss|grnorts .sscc|.toJ .|t| o.c| cro +cJ c.r Jso t||s sc.|pt
.s . st..t|rg pc|rt .rJ ncJ||y |t tc sJ|t ycJ. rooJs
• Ary Jso. .|c |.s t|o .b|||ty tc . v|.tJ.| n.c||ro
c. tonp|.to c.r pctort|.||y |r|t|.to . Jor|.|c|so.v|co
by ccnp|oto|y |||||rg Jp . .|t| v|.tJ.| J|sk |||os,
.|ot|o. pJ.pcso|J||y c. |r.Jvo.tort|y ¯|o spoc|||oJ p.|v||ogos
t|.t .||c. t||s ..o
• Virtual Machine > Configuration > Add New Disk
• Virtual Machine > Provisioning > Deploy Template
• Virtual Machine > Provisioning > Create Template
from Virtual Machine
• Virtual Machine > Provisioning > Clone Template
|| ycJ ..o Jrccn|c.t.b|o g..rt|rg . Jso. t||s .b|||ty tc ||||
., ycJ nJst or.b|o . nc.o t.JstoJ |rJ|v|JJ.| tc v|.tJ.| n.c||ros c. tonp|.tos cr bo|.|| c| t||s Jso.
appendix: Perl Script for Listing all role
¯|o |o.| sc.|pt s|c.r |r ||st|rg 1 n.kos Jso c| t|o \V...o
|r| |o.| ¯cc|k|t tc ,Jo.y \|.tJ.|´orto. |c. . ||st c|
.|| t|o .c|os .ss|groJ tc ovo.y cb¦oct |r t|o |rvortc.y ¯|o
.osJ|t|rg ||st s|cJ|J bo c.css.o|o.orcoJ .|t| t|o krc.r sot c|
g.cJp nonbo.s||ps |r ycJ. Act|vo ||.octc.y orv|.crnort Ar|o c| t|o cJtpJt |s s|c.r |r ||st|rg 2
+cJ c.r s.vo t|o cJtpJt .s . ´S\ |||o, t|or cpor |t |r .
sp.o.Js|oot c. ct|o. |c. .JJ|t|cr.| p.ccoss|rg c.
.r.|ys|s |r c.Jo. tc .Jr t||s sc.|pt, ycJ nJst |.vo t|o \V...o
|r| |o.| ¯cc|k|t |rst.||oJ cr . syston t|.t .|sc |.s
|o.| |rst.||oJ +cJ c.r ||rJ t|o tcc|k|t .t
Listing 1: Script to Query VirtualCenter for Roles
#!/usr/bin/perl -w
# Permission Export Utility v1.0
# Contribution by: Karl Rumelhart (
# For each for each type of managed entity, HostSystem, VirtualMachine, Datacenter,
# Folder, ComputeResource (i.e. host or cluster), and ResourcePool, this script
# retrieves all objects of that type and then all permissions that are set on the
# objects. It prints out the Object Type, Object Name, User/Group, and Role in comma
# separated value format. This can be piped to a file (“> foo.csv” in windows) and
# opened with Excel.
# Version History:
# V1.00 - (22 Dec 2006)
use strict;
use Getopt::Long;
use VMware::VIRuntime;
my %opts = (service_url => undef,
userid => undef,
password => undef);
GetOptions (\%opts,
if( !defined ($opts{service_url} && $opts{userid} && $opts{password} ) ) {
exit (1);
# login
Vim::login(service_url => $opts{service_url}, \
user_name => $opts{userid}, password => $opts{password});
# the authorization manager is the key to getting permission info
my $auth_mgr = Vim::get_view(mo_ref => Vim::get_service_content()->authorizationManager);
# Get all roles and put them in a hash so we can easily get the name corresponding to
# a roleId
my %role_hash;
my $role_list = $auth_mgr->roleList;
foreach (@$role_list) {
$role_hash{$_->roleId} = $_->name;
# Heading for csv columns
print “Object Type, Object Name, User/Group, Role” . “\n”;
# for each type of managed entity run through all objects of that type and all
# permissions defined on that object and print out the corresponding Object Type,
# Object Name, User/Group, Role
my @obj_types = (‘HostSystem’, ‘VirtualMachine’, ‘Datacenter’, ‘Folder’, \
‘ComputeResource’, ‘ResourcePool’);
foreach my $this_type (@obj_types){
my $obj_views = Vim::find_entity_views(view_type => $this_type);
foreach (@$obj_views) {
my $obj_name = $_->name;
my $perm_array = $auth_mgr->RetrieveEntityPermissions(entity => $_, inherited => 1);
foreach(@$perm_array) {
# print object type and name
print $this_type . “, “ . $obj_name . “, “;
# print user/group and role
print $_->principal . “, “ . $role_hash{$_->roleId} . “\n”;
# logout
sub help {
my $help_text = <<’END’;
USAGE: --service_url <SDK service URL> --userid <VC user login> --password
<VC password>
perl --service_url https://localhost/sdk/vimService --userid
administrator --password mypassword
The output will be in csv format. Pipe to a file to open with Excel.
print $help_text;
Listing 2: Sample Output Listing Roles
‘Object Type’,’Object Name’,’User/Group’,’Role’
VirtualMachine,CRM Server,Administrators,Admin
VirtualMachine,CRM Server,VCUser,VirtualMachinePowerUser
about the author
´|..J ´|.Jb.| |s toc|r|c.| n..kot|rg n.r.go. .t \V...o,
.|o.o |o spoc|.||.os |r orto.p.|so J.t.corto. n.r.go
nort |.ov|cJs|y, |o .c.koJ .t SJr V|c.csystons, .|o.o
|o |.J nc.o t|.r sovor yo..s’ oxpo.|orco Jos|gr|rg .rJ
Jovo|cp|rg J|st.|bJtoJ n.r.gonort .rJ g.|J
|r| sc|t...o sc|Jt|crs |o |.s .|sc Jovo|cpoJ .rJ
Jo||vo.oJ t..|r|rg ccJ.sos cr g.|J ccnpJt|rg tc . v..|oty
c| cJstcno.s .rJ p..tro.s |r t|o |r|toJ St.tos .rJ .b.c.J
´|.Jb.| .oco|voJ . b.c|o|c. c| Sc|orco |r |rg|roo.|rg
|.cn t|o |r|vo.s|ty c| |orrsy|v.r|. .rJ . ||| |.cn t|o
|r|vo.s|ty c| ´.|||c.r|. .t S.rt. b..b..., .|o.o |o stJJ|oJ
t|o rJno.|c.| ncJo||rg c| ccnp|ox ||J|Js |o |s t|o .Jt|c.
c| rJno.cJs pJb||c.t|crs .rJ sovo..| p.torts |r t|o ||o|Js
c| J.t.corto. .Jtcn.t|cr .rJ rJno.|c.| p.|co cpt|n|..t|cr
¯|o .Jt|c. .cJ|J ||ko tc t|.rk t|o |c||c.|rg |c. t|o|. v.|J.b|o
|rpJt |cJg ´|..k, |..| |Jnno||..t
VMware, Inc. 3145 Porter Drive Palo Alto CA 94304 USA Tel 650-475-5000 Fax 650-475-5001
© 2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925,
6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,961,941, 6,961,806, 6,944,699, 7,069,413;
7,082,598 and 7,089,377; patents pending.
VMware, the VMware “boxes” logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of
VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies.
Revision: 20070404 Item: BP-017-PRD-01-01

Sign up to vote on this title
UsefulNot useful