VMware Cloud Community
Xeltros
Contributor
Contributor
‎10-14-2016 09:28 AM

network configuration and access rights

Hello,

I have a question that I thought was very simple but I probably am missing something.

I would like to create some kind of self-service test environment in my VCenter. Of course, I would like to isolate this environment from the rest of my network. The simplest and safest way would be to dedicate a host for that and physically limit its access to the network via firewall, however this is not possible in my case. 

This means that I will have to allow people to fully control the VM creation/modification in a resource pool, including adding/removing/editing network cards. However I want to restrict them to some specific network cards (which are attributed to specific VSwitches).

For example, let's say I have sveral network configurations for : LAN, INTERNET, DMZ, HOST-ONLY.

How can I give full access rights on a resource pool without allowing access to LAN and DMZ when editing VM settings ?

It's probably very simple but I cannot figure it out by myself.

Reply
0 Kudos
5 Replies
petergsk
Enthusiast
Enthusiast
‎10-12-2020 03:24 AM

Hello,

very similar question here after 4 years, just on start of my vCenter journey (some 2 months now), preparing lab deployment for the team and looking for restricting access to some network resources.

Have you found a way to solve your issue, what was it?

Thanks if you come by and quickly (hope so) react.

BR

Peter

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee
‎10-12-2020 03:50 AM

What are you trying to achieve exactly?

What devices/systems should and should not be able to communicate with one another?

Where are these devices/systems relative to your underlying network?


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
petergsk
Enthusiast
Enthusiast
‎10-12-2020 03:58 AM

Hello,

easy thing. We are bunch of networkers virtualizing all we can in our lab to match real customer deployments and trends, so while migrating to vCenter and being only conf tool for them, we need to keep their comfort of being able to create vSwitches, portgroups.. etc like there are used to from single-host access.

For that, folks of "VM Power User" role need to have Hosts.Configuration.NetworkConfiguration role. In turn, they get by default a right to do so on all hosts in vCenter domain (datacenter), and in vCenter's GUI there is no option to specifically limit their config access to some core vSwitches we determine.

How can I achieve that?

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee
‎10-12-2020 05:55 AM

What do you want them to be able to do and what don't you want them to be able to do?


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
petergsk
Enthusiast
Enthusiast
‎10-12-2020 06:21 AM

For restricted ones (vSwitches, port-groups) I want them to have read-only access. So, what's the method if not in GUI?

Reply
0 Kudos