VCP6.5-DCV Objective 1.1: Role-Based Access Control - Section 1: vSphere 6.x Security - CustomNet VMware Research Jump to content

VMware Declines to Endorse Azure as a vSphere Platform

Microsoft's Azure technology publicly competes against Amazon Web Services as a VMware vSphere platform.
Read more

VCP6.5-DCV Objective 1.1: Role-Based Access Control

All entries in this study guide are in early development and are gradually being developed at the same time.
Read more

VCP6.5-DCV Objective 1.2: Secure ESXi and vCenter Server

Each entry contains links to top research sources. More links can be found at the bottom of each page.
Read more

VCP6.5-DCV Objective 1.3: Configure and Enable SSO and Identity Sources

If interested in a heavily curated Twitter feed of VMware research, please consider subscribing to my list on @vNetworking: 'VMware Top Contributors'.
Read more

VCP6.5-DCV Objective 1.4: Secure vSphere Virtual Machines

I hope that you enjoy the site and that in time it becomes a useful reference for you!
Read more
Sign in to follow this  
Eric

VCP6.5-DCV Objective 1.1: Role-Based Access Control

Recommended Posts

Blueprint for VCP6.5-DCV Objective 1.1 Configure and Administer Role-Based Access Control

Compare and contrast propagated and explicit permission assignments  |  View/Sort/Export user and group lists  |  Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects  Determine how permissions are applied and inherited in vCenter Server  Create/Clone/Edit vCenter Server Roles  Configure VMware Identity Sources  Apply a role to a User/Group and to an object or group of objects  |  Change permission validation settings  |  Determine the appropriate set of privileges for common tasks in vCenter Server  |  Compare and contrast default system/sample roles  |  Determine the correct permissions needed to integrate vCenter Server with other VMware products

This post is under construction. Last updated: November 25, 2017.

  • Compare and contrast propagated and explicit permission assignments
  • View/Sort/Export user and group lists
  • Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
  • Determine how permissions are applied and inherited in vCenter Server

Supporting Information on Permissions from the Official vSphere 6.5 Documentation

vSphere Permissions and User Management Tasks  |  Understanding Authorization in vSphere  |  Managing Permissions for vCenter Components  |   Global Permissions  |  Using Roles to Assign Privileges  |  Best Practices for Roles and Permissions  |  Required Privileges for Common Tasks

  • Create/Clone/Edit vCenter Server Roles
  • Configure VMware Identity Sources
  • Apply a role to a User/Group and to an object or group of objects
  • Change permission validation settings
  • Determine the appropriate set of privileges for common tasks in vCenter Server

A Brief Contextualization of the Importance of Role-Based Access Control (RBAC)

RBAC is what enables less experienced or trusted users to take part in the vSphere environment with limitations on what they can see and do. These limitations can gradually be lifted, approaching the full King King rights attributed to what the vsphere@administrator.local account is able to do by default. Keith Barker's joke and explanation for this term in his CBT Nuggets series is "Where does King Kong sleep at night? -- Anywhere he wants. He's King Kong!" 

One of the most important benefits of RBAC in a vSphere environment is that it helps to reduce the number of personal which would need access to the vsphere.local account, which should only be shared with those whom it is absolutely necessary. The passwords to these accounts should be complex and changed often. Even if a group of fully-trusted administrators should have King Kong rights, it would be best to deny them vsphere.local access because otherwise would be no accounting for actions which they made while logged on to those accounts. It would be better to assign an administrator role with full-access to privileged accounts. This way audit logs will show exactly which user did what.

  • Compare and contrast default system/sample roles
  • Determine the correct permissions needed to integrate vCenter Server with other VMware products

Supporting Information on Permissions from the Official vSphere 6.5 Documentation

Defined Privileges [Full List].  Examples:  Certificates PrivilegesDatacenter Privileges  |  Datastore Privileges  |  Datastore Cluster Privileges  |  Distributed Switch Privileges  |  ESX Agent Manager Privileges  |  Folder Privileges  |  Global Privileges  |  Host Configuration Privileges  |  Host Inventory Host Profile Privileges  |  Network Privileges  |  Performance Privileges  |  Permissions Privileges Profile-driven Storage Privileges  |  Resource Privileges  |  Virtual Machine Configuration Privileges  |  Virtual Machine Guest Operations Privileges  |  Virtual Machine Inventory Privileges  |  Virtual Machine Provisioning Privileges Virtual Machine Snapshot Management Privileges dvPort Group Privileges

 

 

 

Resources

Official Resource Used for Exam Objective 1.1

VMware Technical Papers Specific to vSphere Security

General Links

Internal Links

 

VMware Tech Pubs. (September 30, 2013). "Roles, Privileges and Permissions in the vSphere Web Client".
Retrieved from https://www.youtube.com/watch?time_continue=1&v=hl-JUWij7XE

4 Minute video by Peter Shepherd.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×