VMware Cloud Community
knn
Contributor
Contributor
‎02-15-2012 05:48 AM

Restrict access to vSwitch

Hello all,

there's an ESX Server set aside for a test environment.

My apprentices are to gain experience by trying stuff themselves.

That will require the privilege to create or configure VMs.

No problem, since it's a test environment.

The host needs to be accessible from the regular network, same for the VMs.

No problem: We just set up a dual homed gateway.

But: Under no account are test-VMs to be connected to the regular network. Of course my apprentices are responsible persons and would never do such a thing if being told not to. Trust is good, control is better. They might for example host a DHCP Server or a clone of our domain server.

Anyone have an idea how I can define a role that has no access to the vSwitch with an uplink to the outside world?

The only thing I can come up with is to limit that vSwitch to 8 Ports and occupy all of them.

Grateful for any hints.

Regards,

knn

0 Kudos
3 Replies
kennyhwx
Contributor
Contributor
‎02-15-2012 06:19 PM

Hi,

The related permissions should be under "All Privileges\Network".

You can clone an existing role and remove the permissions not required.

For more information on the privileges, refer to

http://pubs.vmware.com/vsp40/wwhelp/wwhimpl/js/html/wwhelp.htm#href=admin/c_defined_privileges.html#...

Kenny

Message was edited by: kennyhwx Added link to privileges

0 Kudos
knn
Contributor
Contributor
‎02-16-2012 04:28 AM

Thanks for taking the time to post your thoughts.

As far as I understand "All Privileges" -> Network allows me to prevent my apprentices from changing network settings of their VMs.

I guess that would prevent them from setting up their own VMs and assigning them to the correct vSwitch.

Then I would end up having to do that for them.

I would much rather prevent them from using a specific vSwitch whereas they can use all other vSwitches as they deem fit.

knn

0 Kudos
peetz
Leadership
Leadership
‎02-16-2012 12:01 PM

Hi,

in the "Inventory/Networking" view of vCenter you can group vSwitches and portgroups in folders and assign different permissions at the folder level.

This way you can grant your apprentices the "Assign network" privilege for only a subset of the existing vSwitches and portgroups.

Please note that these privileges need to be assigned to both the VMs and the network objects.

- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
0 Kudos