上QQ阅读APP看书,第一时间看更新
Determine the appropriate set of privileges for common tasks in vCenter Server
Many tasks require permissions on multiple objects in the inventory. Without all of them, the task cannot be completed successfully.
The vSphere 6.5 Security Guide ( https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B71-B365-BBFA24673FDB.html) contains several examples of combined sets of permissions required for common tasks, with some hints on how to manage permissions to perform generic tasks.
The following table, from the VMware guide, shows some examples of common VM administration tasks with their required privileges, and, where applicable, the appropriate sample roles that can be used (instead of configuring the single privileges):
Task Required privileges Applicable role
Create a VM
On the destination folder or data center:
- Virtual machine | Inventory | Create new
- Virtual machine | Configuration | Add new disk (if creating a new virtual disk)
- Virtual machine | Configuration | Add existing disk (if using an existing virtual disk)
- Virtual machine | Configuration | Raw device (if using an RDM or SCSI pass-through device)
Administrator
On the destination host, cluster, or resource pool, navigate to Resource | Assign virtual machine to resource pool Resource pool administrator or administrator
On the destination data store or the folder that contains the data store, navigate to Datastore | Allocate space Data store consumer or administrator
On the network that the VM will be assigned to, navigate to Network | Assign network Network consumer or administrator
Power on a VM
On the data center in which the VM is deployed, navigate to Virtual machine | Interaction | Power On
VM power user or administrator
On the VM or the folder of VMs, navigate to Virtual machine | Interaction | Power On
Deploy a VM from a template
On the destination folder or data center, navigate to Virtual machine | Inventory | Create from existing or Virtual machine | Configuration | Add new disk
Administrator
On a template or folder of templates, navigate to Virtual machine | Provisioning | Deploy template
On the destination host, cluster, or resource pool, navigate to Resource | Assign virtual machine to resource pool
On the destination data store or folder of data stores, navigate to Datastore | Allocate space
Data store consumer or administrator
On the network that the VM will be assigned to, navigate to Network | Assign network
Network consumer or administrator
Take a VM snapshot On the VM or a folder of virtual machines, navigate to Virtual machine | Snapshot management | Create snapshot VM power user or administrator
Install a guest operating system on a VM
On the VM or folder of VMs, navigate to:
- Virtual machine | Interaction | Answer question
- Virtual machine | Interaction | Console interaction
- Virtual machine | Interaction | Device connection
- Virtual machine | Interaction | Power Off
- Virtual machine | Interaction | Power On
- Virtual machine | Interaction | Reset
- Virtual machine | Interaction | Configure CD media (if installing from a CD) or
Configure floppy media (if installing from a floppy disk) - Virtual machine | Interaction | VMware Tools install
VM power user or administrator
On a data store that contains the installation media ISO image, navigate to Datastore | Browse datastore (if installing from an ISO image on a data store)
On the data store to which you upload the installation media ISO image, navigate to Datastore | Browse datastore or Datastore | Low level file operations
Migrate a VM with vMotion
On the VM or folder of VMs, navigate to:
- Resource | Migrate powered on virtual machine
- Resource | Assign Virtual Machine to Resource Pool (if the destination is a different resource pool from the source)
Resource pool administrator or administrator
On the destination host, cluster, or resource pool (if they are different from the source), navigate to:
- Resource | Assign virtual machine to resource pool
Cold migrate (relocate) a VM
On the VM or folder of VMs, navigate to:
- Resource | Migrate powered off virtual machine
- Resource | Assign virtual machine to resource pool (if the destination is a different resource pool from the source)
Resource pool administrator or administrator
On the destination host, cluster, or resource pool (if different from the source), navigate to:
- Resource | Assign virtual machine to resource pool
On the destination data store (if it is different from the source), navigate to Datastore | Allocate space
Data store consumer or administrator
Migrate a VM with Storage vMotion
On the VM or folder of VMs, navigate to Resource | Migrate powered on virtual machine Resource pool administrator or administrator
On the destination data store, navigate to Datastore | Allocate space Data store consumer or administrator
Table 1.3: Required privileges for common tasks
These are just examples, but in most cases, you will need to build your own custom role (or set of roles).
Other software or solutions based on vSphere may specify the right privileges that are needed in order to build custom roles with minimum privileges.