Access and Authentication Control

Module 9

© 2011 VMware Inc. All rights reserved

 You Are Here

Course Introduction Data Protection

Introduction to Virtualization Access & Authentication Control

Virtual Machines Resource Management and Monitoring

VMware vCenter Server High Availability

Configure and Manage Virtual Networks Scalability

Configure and Manage Virtual Storage Patch Management

Managing Virtual Machines Installing vSphere Components

VMware vSphere: Install, Configure, Manage – Revision A 9-2

© 2011 VMware Inc. All rights reserved

 Importance

When multiple users are accessing the VMware vSphere®

environment, a best practice is to give each user only the
necessary permissions and nothing more. VMware vCenter
Server™ allows flexible assignment of permissions.

VMware vSphere: Install, Configure, Manage – Revision A 9-3

© 2011 VMware Inc. All rights reserved

 Module Lessons

Lesson 1: Configure ESXi Host Access and Authentication

Lesson 2: Configuring Roles and Permissions

VMware vSphere: Install, Configure, Manage – Revision A 9-4

© 2011 VMware Inc. All rights reserved

 Lesson 1:
Configure ESXi Host Access and
Authentication

VMware vSphere: Install, Configure, Manage – Revision A 9-5

© 2011 VMware Inc. All rights reserved

 Learner Objectives

After this lesson, you should be able to do the following:

Configure the VMware® ESXi™ firewall by enabling and disabling
services

Enable and disable lockdown mode on an ESXi host

Configure user logins to authenticate with directory services

VMware vSphere: Install, Configure, Manage – Revision A 9-6

© 2011 VMware Inc. All rights reserved

 Configuring the ESXi Firewall

VMware vSphere: Install, Configure, Manage – Revision A 9-7

© 2011 VMware Inc. All rights reserved

 Configuring Security Profile Services

VMware vSphere: Install, Configure, Manage – Revision A 9-8

© 2011 VMware Inc. All rights reserved

 Enabling and Disabling Lockdown Mode

VMware vSphere: Install, Configure, Manage – Revision A 9-9

© 2011 VMware Inc. All rights reserved

 Integrating ESXi with Active Directory (AD)

VMware vSphere: Install, Configure, Manage – Revision A 9-10

© 2011 VMware Inc. All rights reserved

 Using vShield to Secure the Virtual Datacenter

Securing from end to end, from the edge to the endpoint

VMware vShield Edge™ vShield App and

secures the edge of the VMware vShield Zones vShield Endpoint
virtual datacenter. creates segmentation between offloads antivirus processing.
enclaves (silos) of workloads.

VMware vShield Manager™

DMZ PCI HIPAA provides centralized management.

VMware vSphere: Install, Configure, Manage – Revision A 9-11

© 2011 VMware Inc. All rights reserved

 Review of Learner Objectives

You should be able to do the following:

Configure the ESXi firewall by enabling and disabling services

Enable and disable lockdown mode on an ESXi host

Configure user logins to authenticate with directory services

VMware vSphere: Install, Configure, Manage – Revision A 9-12

© 2011 VMware Inc. All rights reserved

 Lesson 2:
Configuring Roles and Permissions

VMware vSphere: Install, Configure, Manage – Revision A 9-13

© 2011 VMware Inc. All rights reserved

 Learner Objectives

After this lesson, you should be able to do the following:

Define a permission.

Describe the rules for applying permissions.

Create a custom role.

Create a permission.

VMware vSphere: Install, Configure, Manage – Revision A 9-14

© 2011 VMware Inc. All rights reserved

 Access Control Overview

The access control system allows the vCenter Server administrator

to define a user’s privileges to access objects in the inventory.
Key concepts:

Privilege – Defines an
action that can be
performed

Role – A set of privileges

Object – The target of the
action

User/group – Indicates
who can perform the
action
Together, a role, a user or group, and an object define a permission.

VMware vSphere: Install, Configure, Manage – Revision A 9-15

© 2011 VMware Inc. All rights reserved

 Users and Groups

vCenter Server or VMware ESX®/ESXi users/groups can be local

users or Active Directory domain users.
Active Directory services provides authentication for all local
services:

VMware vSphere Client™

Direct console user interface

Technical support mode (local and remote)

Access through the VMware vSphere API
Users who are in the Active Directory group “ESX Admins” are
automatically assigned the Administrator role.

VMware vSphere: Install, Configure, Manage – Revision A 9-16

© 2011 VMware Inc. All rights reserved

 Roles

Roles are collections of

privileges:

They allow users to
perform tasks.

They are grouped in
categories.
Roles include system roles,
sample roles, and custom-
built roles.

VMware vSphere: Install, Configure, Manage – Revision A 9-17

© 2011 VMware Inc. All rights reserved

 Objects

Objects are entities on which actions are performed.

Objects include datacenters, folders, resource pools, clusters, hosts,
datastores, networks, and virtual machines.
All objects have a Permissions tab.

This tab shows which user or group and role are associated with the
selected object.

VMware vSphere: Install, Configure, Manage – Revision A 9-18

© 2011 VMware Inc. All rights reserved

 Assigning Permissions

To assign a
permission:
1. Select a user.
2. Select a role.
3. (Optional)
Propagate the
permission to
child objects.

VMware vSphere: Install, Configure, Manage – Revision A 9-19

© 2011 VMware Inc. All rights reserved

 Viewing Roles and Assignments

The Roles pane shows which users are assigned the selected role
on a particular object.

VMware vSphere: Install, Configure, Manage – Revision A 9-20

© 2011 VMware Inc. All rights reserved

 Applying Permissions: Scenario 1

A permission can propagate down the object hierarchy to all

subobjects or it can apply only to an immediate object.

Greg – Administrator

Greg – No Access

VMware vSphere: Install, Configure, Manage – Revision A 9-21

© 2011 VMware Inc. All rights reserved

 Applying Permissions: Scenario 2

When a user is a member of multiple groups with permissions on

the same object:

The user is assigned the union of privileges assigned to the groups
for that object.

Group1 – VM_Power_On (custom role)

Group2 – Take_Snapshots (custom role)

Members of Group1: Members of Group2:

Greg Greg
Susan Carla

VMware vSphere: Install, Configure, Manage – Revision A 9-22

© 2011 VMware Inc. All rights reserved

 Applying Permissions: Scenario 3

When a user is a member of multiple groups with permissions on

different objects:

For each object on which the group has permissions, the same
permissions apply as if they were granted directly to the user.

Group1 – Administrator

Group2 – Read-only

Members of Group1: Members of Group2:

Greg Greg
Susan Carla

VMware vSphere: Install, Configure, Manage – Revision A 9-23

© 2011 VMware Inc. All rights reserved

 Applying Permissions: Scenario 4

Permissions defined explicitly for the user on an object take

precedence over all group permissions on that same object.

Group1 – VM_Power_On (custom role)

Group2 – Take_Snapshots (custom role)
Greg – Read-only

Members of Group1: Members of Group2:

Greg Greg
Susan Carla

VMware vSphere: Install, Configure, Manage – Revision A 9-24

© 2011 VMware Inc. All rights reserved

 Creating a Role

Virtual Machine Creator role

Create roles that enable only
the necessary tasks: Datastore > Allocate space

Example: Virtual Machine Network > Assign network
Creator Resource > Assign virtual
Use folders to contain the machine to resource pool
scope of permissions: Virtual machine > Inventory >

For example, assign the Create new
Virtual Machine Creator role
to user Nancy and apply it to Virtual machine > Configuration >
the Finance folder. Add new disk
Virtual machine > Configuration >
Add or remove device

VMware vSphere: Install, Configure, Manage – Revision A 9-25

© 2011 VMware Inc. All rights reserved

 Lab 14

In this lab, you will manage user access permissions.

1. Configure an ESXi host to use directory services.
2. Use Active Directory accounts to verify proper access to your ESXi
host.
3. Create a custom role in vCenter Server appliance.
4. Assign permissions on vCenter Server inventory objects.
5. Verify permission usability.

VMware vSphere: Install, Configure, Manage – Revision A 9-26

© 2011 VMware Inc. All rights reserved

 Review of Learner Objectives

You should be able to do the following:

Define a permission.

Describe the rules for applying permissions.

Create a custom role.

Create a permission.

VMware vSphere: Install, Configure, Manage – Revision A 9-27

© 2011 VMware Inc. All rights reserved

 Key Points

A permission is a combination of a user or group and role that is

applied to an object in the inventory.

A permission can propagate down the object hierarchy to all
subobjects or it can apply only to an immediate object.

As a best practice, define a role using the smallest number of
privileges possible for better security and added control.

VMware vSphere: Install, Configure, Manage – Revision A 9-28

© 2011 VMware Inc. All rights reserved