VM Access Control

Module 7

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-1
 You are here

Virtual Infrastructure Virtual Machines Operations

Virtual Infrastructure Overview VM Creation and Data Protection
ESX Server Installation Management
ESX Server Installation VM Creation & Management VM Resource Monitoring

Networking Resource Pools

Networking VM Access Control Data & Availability Protection
Storage
Storage VM Resource Management Troubleshooting Tips

ESX ServerInstallation
VirtualCenter Installation

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-2
 Importance and module objectives

• Importance
• When there are multiple users accessing the virtual infrastructure, it
is a good idea to give each user only the necessary permissions,
nothing more. VirtualCenter permissions allow quite a bit of
flexibility in these assignments.
• Objectives for the learner
• Create VirtualCenter permissions
• Create ESX Server permissions
• Manage access to VMs using Web Access

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-3
 Module lessons

• Lesson 1: VMware Infrastructure User Access

• Lesson 2: Accessing VMs using Web Access

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-4
 Lesson 1:
VMware Infrastructure
User Access

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-5
 Lesson topics

• Security model
• VirtualCenter permissions
• ESX Server permissions

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-6
 Security model overview

User Role Privileges

Permission

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-7
 Types of users

VirtualCenter users and groups are those

from the VC server’s domain

ESX Server users and groups are those

defined in its service console

No attempt is made to reconcile these users and groups

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-8
 Privileges

• A privilege allows a
user to perform a pre-
defined task.
• Privileges are grouped
into categories and
subcategories
• A collection of privileges
is a role.
• A role can be
propagated downwards,
to its child objects

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-9
 Roles

ESX Server and VirtualCenter come with their own set of default
roles

Roles
Default No Access
ESX Server user Read-Only
and group roles
Administrator
Default
VirtualCenter user
Virtual Machine Administrator and group roles
Datacenter Administrator
Virtual Machine Power User
Virtual Machine User
Resource Pool Administrator
Create your own
roles for either
ESX Server or
Night-shift Operator
VirtualCenter Backup Administrator
users and groups

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-10
 Permission
• A user/role pairing assigned to a VMware Infrastructure
inventory object
• Can be optionally propagated downwards through the inventory

Greg – Datacenter Administrator

Susan – Resource Pool Administrator

Carla – Virtual Machine Power User

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-11
 VirtualCenter security model

Active Directory VirtualCenter

user role privileges

permission

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-12
 Default permissions for VirtualCenter
• Local Administrators group is assigned the Administrator
role at the topmost level in the inventory

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-13
 ESX Server security model

Service console ESX Server

user role privileges

permission

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-14
 Default permissions for ESX Server
• Service console users, vpxuser and root, are assigned the
Administrator role at the ESX Server level

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-15
 Labs for lesson 1

1. Accessing Virtual Machines in VirtualCenter

• In this lab, you will perform the following tasks:
• Create a VirtualCenter permission using an existing role
• Create a VirtualCenter permission using a custom role

2. Accessing Virtual Machines on the ESX Server

• In this lab, you will perform the following task:
• Create an ESX Server permission using an existing role

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-16
 Lesson summary

• A VirtualCenter user is a Windows user, either local or

domain-based
• An ESX Server user is a Linux user, defined in the
service console
• A permission is a role assigned to a user/group and is
applied to an object in the inventory

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-17
 Lesson 2:
Accessing VMs
Using Web Access

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-18
 Lesson topics

• Logging into Web Access

• Web Access functionality

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-19
 What is Web Access?
• A browser-based application that focuses on managing
VMs on ESX Server and VirtualCenter deployments
• Benefits:
• Administrators can provide end users access to VMs
• Users do not need to install the VI client onto their desktop
• Client devices allow users to use their local floppy and CD/DVD
• Eliminates the need to access these drives on the ESX Server host

Web
Access

Web Access
(Apache Tomcat Service)
Web
Access installed here

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-20
 Log into Web Access

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-21
 Log into Web Access (2)

• If logging into VirtualCenter, enter a VirtualCenter user

account and password
• If logging into an ESX Server directly, enter an ESX
Server user account and password

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-22
 Web Access tasks

View a VM’s console

View VMs and

their details
Perform power
operations and
other VM tasks

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-23
 Generate remote console URL

• Way to provide access to a

VM through a URL
• Useful for including in an e-
mail message

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-24
 Activity

• Using Web Access

• Take a few minutes to explore the Web Access interface:
• Log into Web Access on the VirtualCenter Server and perform a few
tasks on your virtual machines
• Log into Web Access on the ESX Server and perform a few tasks on your
virtual machines

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-25
 Module summary

• A permission is a pairing of a user and a role

• A role is a set of pre-defined privileges
• VirtualCenter users are different from ESX Server users
• Web Access is used to manage VMs, not ESX Server
hosts

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-26
 Questions?

VMware Infrastructure 3: Install and Configure – Rev B

Copyright © 2006 VMware, Inc. All rights reserved. 7-27