Hi!
I have been given a task to modify permissions on a couple of highly important VMs, so that almost all security groups from our ADMIN domain that have permissions today, will be denied access to open the console.
The groups that give permissions today are inherited from the vCenter level, clusters, folders and so on.
I wanted to use the roles if possible to deny the access to the console, but is that possible?
What about the role "No access"? I think it's fine to deny access to everything, not only the console.
But I have to keep in mind my own group, I am a member on several groups, so that I don't lock myself out with deny permissions.
Hello,
You need new rules. Everything checked but these . I.e. take the Administrator role make a copy and remove those rules. Apply that from the top against all admins. You may also be able to gain refinement by using a tool like HyTrust Cloud Control. It responds to typical AD approaches for all roles within vCenter.
There is no 'refinement' within vCenter.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
Hello,
It is possible to deny just console access to anyone:
Virtual Machine -> Interaction -> Console Interaction
Virtual Machine -> Interaction -> Record Session on Virtual Machine
However, I would create a user you can login to to use the console as needed. Sometimes things can only be fixed if you can login to the console such as bad network devices, etc. There are needs still. Sort of like Username-Console, for each user who may need this. Just limit this and use advanced logging to track such usage.
I would not use No Access for administrators only for everyone else.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
OK, so how could I use Virtual Machine -> Interaction -> Console Interaction to deny all the people from Active Directory groups that have today, this permission? Looks like it is only possible to grant the permission, not deny, checking the mark next to the permission
Hello,
You need new rules. Everything checked but these . I.e. take the Administrator role make a copy and remove those rules. Apply that from the top against all admins. You may also be able to gain refinement by using a tool like HyTrust Cloud Control. It responds to typical AD approaches for all roles within vCenter.
There is no 'refinement' within vCenter.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009-2016
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast