I have a few accounts in SSO that have full privileges to do anything in SSO. However only adminstrator@vsphere.local has any permissions in vCenter Server. Do the accounts that have full privileges in SSO, but are not given any privileges in vCenter, represent a vulnerability to vCenter if compromised, or just to SSO?
If you have an account with full privileges in SSO then even if they don't have permissions on vCenter they could compromise the administrator@vsphere.local account (change password for example) and get full access.
mike
Hello,
I would think just to SSO. But I think we should get another opinion here.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast
If you have an account with full privileges in SSO then even if they don't have permissions on vCenter they could compromise the administrator@vsphere.local account (change password for example) and get full access.
mike
Thanks!