VMware Cloud Community
ouch
Contributor
Contributor
‎11-11-2009 02:52 PM
Jump to solution

vCenter security - limiting devs to one Resource Pool

I'd like to set up a role that limits a team of developers to one resource pool. I'd like them to be able to create virtual machines, and modify them, upload files to the datastores, and generally do all the thing devs need to do, but keep them in a sandpit limited to a resource pool. I don't want them to be able to play with VMs in other resource pools, nor have admin access to other stuff within the vCenter Datacentre.

Is this possible, or should I create a second Datacentre and use that for the developers?

I am fairly new to vCentre, so feel free to correct any incorrect concepts in my thinking Smiley Happy

0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎11-12-2009 10:05 AM
Jump to solution

Hello,

Yes this is possible. I do it myself.

The key is to make a folder that matches your resource pools as permissions on resource pools do not always translate to permissions on VMs. Since you are talking about VMs and resource pools you need several constructs.

The first is to limit what resource pools they can even see, do this by placing a role and permission on the specific resource pool.

The second is to limit what VMs they can even see/affect, do this by placing a role and permission on the specific folder that mimics the resource pool.

Furthermore you want to apply network and other permissions, limiting what vswitches they can see when they create a VM, etc.

It is all possible but complex pretty quickly.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
5 Replies
Texiwill
Leadership
Leadership
‎11-12-2009 10:05 AM
Jump to solution

Hello,

Yes this is possible. I do it myself.

The key is to make a folder that matches your resource pools as permissions on resource pools do not always translate to permissions on VMs. Since you are talking about VMs and resource pools you need several constructs.

The first is to limit what resource pools they can even see, do this by placing a role and permission on the specific resource pool.

The second is to limit what VMs they can even see/affect, do this by placing a role and permission on the specific folder that mimics the resource pool.

Furthermore you want to apply network and other permissions, limiting what vswitches they can see when they create a VM, etc.

It is all possible but complex pretty quickly.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
ouch
Contributor
Contributor
‎11-12-2009 02:41 PM
Jump to solution

Ah yes, thank you. I was starting to see the complexities, but your summary makes it much clearer.

You also introduced me to a new concept, folders within a datacenter. My solution so far has been to keep all the dev stuff in a separate datacenter, but it appears I can add clusters,hosts and resource pools within a folder, still in the same datacentre, and apply permissions to that folder only.

What, if any, are the differences/advantages, of doing this, vs having a separate datacenter?

0 Kudos
Texiwill
Leadership
Leadership
‎11-13-2009 09:29 AM
Jump to solution

Hello,

There are several mixed up concepts here....

There are Host/Cluster Views which include Resource Pools

There are Virtual Machine/Template Views which include Folders

Your will want your 'folder constructs' to match your 'Resource Pool' constructs.

There are Data Centers which contain Hosts, Clusters, Virtual Machines and Templates.

Multiple Datacenters require multiple hosts....


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
ouch
Contributor
Contributor
‎11-15-2009 03:57 PM
Jump to solution

"There are several mixed up concepts here....

There are Host/Cluster Views which include Resource Pools

There are Virtual Machine/Template Views which include Folders"

Well, actually, you can have folders under datacenters in the "Hosts/Clusters" view as well

0 Kudos
Texiwill
Leadership
Leadership
‎11-16-2009 07:06 AM
Jump to solution

Hello,

Yes you can, but I would ensure the roles and perms are applied to the proper view. It will allow everything to work as expected with all the tools.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos