carloscastilla - Fotolia


Customize vCenter roles and SCVMM permissions

Managing a virtual data center can be a daunting task, but bringing in additional assistance by temporarily granting administrative privileges to IT staff can help relieve the stress.

Managing a virtual data center can be a big job, and it's common for administrators to need some extra help. Of course, other members of the IT staff are only able to help if they have been granted the proper permissions, and granting someone full administrative privileges might not be an option. After all, larger IT shops use siloed administrative responsibilities for a reason. Fortunately, it is often possible to grant someone a limited set of permissions so they can complete the required task without being given full administrative privileges.

Exploring vCenter roles and permissions

The actual permissions models vary from one hypervisor to the next, but the major hypervisor vendors allow for fine-grained control over administrative privileges. VMware, for example, supports the use of roles and permissions that can be assigned through vCenter Server. VCenter includes three default roles and also allows for the creation of custom roles. These custom vCenter roles do not inherit any of the privileges that are associated with the system roles, so you will need to explicitly specify the permissions that should be assigned.

The three default vCenter roles are the Administrator Role, the No Access Role and the Read-Only role. While these roles sound like blanket permissions, vCenter roles and permissions can be applied at a granular level. Permissions can be applied to managed entities such as data stores, hosts and resource pools. In some cases, it is necessary to use the concept of inheritance in order to assign permissions. For instance, vSphere documentation indicates that although distributed switches do not appear on the list of managed entities, it is possible to grant permissions for distributed switches by assigning permissions to the parent object and propagating the permissions to child objects.

Creating custom roles in SCVMM

Although the implementation differs, Microsoft also utilizes the concept of role-based access control. Role profiles are assigned through System Center Virtual Machine Manager (SCVMM),  Microsoft's preferred management tool for Hyper-V.  Only the Administrator role exists by default, but administrators are able to define custom roles by opening the Virtual Machine Manager Console, going to the Settings workspace, and clicking on the Create User Role button, found on the toolbar. Doing so launches the Create User Role Wizard.

Role assignments are based around the use of role profiles. Virtual Machine Manager provides four built-in role profiles including Fabric Administrator, Read-Only Administrator, Tenant Administrator and Application Administrator. The Fabric Administrator role profile is roughly equivalent to VMware's Administrator Role. A Fabric Administrator is essentially an administrator who has been granted administrative control over a specific collection of objects. These objects can be selected through the Create User Role Wizard.

The Read-Only Administrator role is similar to VMware's Read-Only role. Administrators who have been granted this role are able to view the properties and status of specific objects for which they have been assigned permission.

The Tenant Administrator and Application Administrator roles are used in private cloud environments. A Tenant Administrator is able to manage self-service users and create and manage virtual machines within a predefined scope. Application Administrators are self-service users who have been granted permission to create and manage their own VMs within a limited scope.

Each custom user role must be assigned one of the previously mentioned role profiles. As you would probably expect, Active Directory users can be assigned directly to the user role, thereby applying the role to those users. Assigning a user role to a user, however, does not grant the user unlimited access to the virtualization infrastructure. User roles can be restricted based on the resources that the role members should be allowed to manage. These restrictions can be based on scope, library servers, Run-As account use or any combination of the three.

The role's scope is defined as the host groups that role members should be allowed to manage. The Create User Role Wizard allows administrators to select one or more host groups. It is worth noting that no host groups are selected by default.

The wizard also allows role members to be restricted to using specific library servers. By doing so, it is possible to control which VM templates and ISO files the role members have access to. The wizard does not provide library server access by default. It is up to the administrator to specify the library servers that the role members should be allowed to access.

Finally, administrators are able to restrict RunAs account usage. Some administrative functions within Virtual Machine Manager require the use of a RunAs account. By restricting the use of Run-As accounts, administrators can limit the tasks that role members are able to perform. The wizard does not provide role members with Run-As account access unless the administrator specifically grants access.

VMware and Microsoft eah provide a rich permissions model, as do some other hypervisor vendors. By customizing SCVMM and vCenter roles and permissions, it is possible to grant limited administrative control over specific objects within the virtualization infrastructure.

Next Steps

How SCVMM can support a bare-metal hypervisor deployment

Reduce the headache of managing multiple hypervisors

Updates to vCenter Server Appliance pique interest

Dig Deeper on VMware management tools