Allow users to only manage their own VMs?

sysjno · ‎01-26-2016

How do I allow a given user to create, manage, and destroy VMs without being able to affect any other VMs?

itpassionate77 · ‎01-27-2016

Hi,

For me, the best option is to integrate your vSphere environment in Active Directory or other LDAP.

By doing this you define vSphere permissions to Active Directory security groups.

But be careful, permissions on vSphere can be desctructive if they are not well designed.

How permissions work in vSphere?

In the vSphere client, you can only assign permissions on VMs or folders only from "VM and templates" view. Of course, if you're familiar with PowerCLi, you can do it also via this tool.

You need to understand the permissions mechanisms in vSphere that is composed of the following components:

Privileges

Roles

Permissions

Security Group

In a practical way, you define a role where you configure different privileges (be very careful with the one you select). Then, you define permissions on a folder or VM by defining which role you will link to an Active Directory security group and done!

If you are not familiar with this procedure, I suggest you to create a lab and test it.

You can find an alternate documentation for this here: VMware vSphere 5.1

Hope it will help,

Regards,

Michaël

DeepakNegi420 · ‎01-27-2016

You will need to setup permissions on VM folder level which you can find in VM and templates view. For me the best way would be using active directory security groups and have the roles assigned appropriately. If you want to isolate the other VM infrastructure from these users then you would have to create separate datastores and provide them access to your networking level so that they can add and modify the networks on VMs.

1- Create AD groups

2- Create custom roles based on your requirement in vCenter

3- Add AD group to custom role

4- Create a folder in Datastore view and add the datastores which you want to be managed by those users

5- Grant the permission on datastore folder so they can add and remove VMDK on VMs.

6- Give permission on your Network vSwitch or dVswitch to allow group to select or modify VM networking

Hope this helps.

Regards,

Deepak Negi

Regards, Deepak Negi

sysjno · ‎01-27-2016

We do not have Active Directory. We aren't a Windows shop. We do have an LDAP server, and I have another question open about how to configure ESXi to query / authenticate against it... I have not yet found clear instructions. Under "Authentication Services" there's a choice between Local Authentication and Active Directory. As AD is not an option, if I can't use LDAP than I'm back to local auth even if using AD is "better"... it just isn't going to happen 🙂

itpassionate77 · ‎01-27-2016

Please read this documentation from VMware: https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-securi...

I have no details about your environment, so sorry if the documentation is not directly linked to yours, but as you posted this topic in ESXI 6 channel, I can believe that the documentation will help you.

As you know, since vsphere 5.1, vCenter SSO has been integrated in vSphere package. SSO permits you to create an Identity source that is not a Windows Active Directory Domain (Happy you, if I well read your posts !!!)

When you install SSO, it creates a default domain which is "vsphere.local". As in all domains, Windows or OpenLDAP, you can create users for which you can define roles and permissions.

But as SSO can be linked to external Identity sources, you can configure it to be linked to:

MS Active Directory
Open LDAP domain
MS Active Directory over LDAP
Local OS operating system where SSO is installed

For very detailed information, please read the documentation mentioned earlier at page 30

I hope it will help you,

Regards