VMware Cloud Community
jenner43201
Contributor
Contributor
‎03-16-2023 01:31 PM
Jump to solution

Help to create User and custom Role to allow SSH and esxcli commands (non-admin role)

Hello,

I own/maintain a group of ESXi 6.5 servers, but have little experience with User/Role administration.  An internal group to my company needs temporary credentials to map out all server network settings  This internal group has asked all owners to provide temporary credentials or give out the root/admin credentials.  I hesitate to give that out, but most admins have done so.  I'd like to provide a temporary credential that meets their requirements.

The internal team needs SSH access to the VM Host to run esxcli commands to get network,  MAC, and driver info.  The VMHost comes with default roles (Admin, Read-Only, etc).  I'd rather not give this temp account the Admin role, so I'd like to create a custom Role.  What custom Role Settings do I need to allow SSH access and perform some esxcli commands (especially network commands)?

I know I can add a user via the ESXi GUI or command line (https://blogs.virtualmaestro.in/2016/02/12/how-to-add-local-account-in-esxi-shell/).  

Thanks.

Labels (2)
Labels
0 Kudos
1 Solution

Accepted Solutions
mannharry
Hot Shot
Hot Shot
‎03-17-2023 12:16 AM
Jump to solution

Hello 

SSH access is the most privileged access, there is no segregation that certain users can run certain commands whereas others can run all commands.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as VMware -v) by using the ESXi Shell.

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.html.hostclient.doc/GUID-12E27BF3-3...

So, In case you want to give certain users access to check some of the networks, data store etc details.
The best is to create roles in the host Client and assign permission to the local users or the AD users( if the host is integrated with AD)  from the GUI.

These users can login to host client and get the details .

 

Thanks 

 

View solution in original post

0 Kudos
1 Reply
mannharry
Hot Shot
Hot Shot
‎03-17-2023 12:16 AM
Jump to solution

Hello 

SSH access is the most privileged access, there is no segregation that certain users can run certain commands whereas others can run all commands.

The root user and users with the Administrator role can access the ESXi Shell. Users who are in the Active Directory group ESX Admins are automatically assigned the Administrator role. By default, only the root user can run system commands (such as VMware -v) by using the ESXi Shell.

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.html.hostclient.doc/GUID-12E27BF3-3...

So, In case you want to give certain users access to check some of the networks, data store etc details.
The best is to create roles in the host Client and assign permission to the local users or the AD users( if the host is integrated with AD)  from the GUI.

These users can login to host client and get the details .

 

Thanks 

 

0 Kudos