Hi,

I am keen to hear how others have designed their vCenter security - with respect to AD group structure and application within vCenter.

We currently have a model that uses multiple AD groups, mapped to various vCenter roles and infrastructure levels (datacenter, cluster, folder, etc) and mirror our AD OU structure for our VMs. It is quite cumbersome to manage and often doesn't achieve it's objective anyway, especially when users need access to servers that live in a different folder to the one they have permissions to.

eg.

VM Folder       AD Group

Citrix               V_Citrix_VMA, V_Citrix_VMPU, V_Citrix_VMU etc 

Exchange        V_Exchange_VMA, V_Exchange_VMPU, V_Exchange_VMU

Infrastructure    V_Infrastructure_VMA, V_Infrastructure_VMPU, V_Infrastructure_VMU

V_VMA: mapped to VM Admin

V_VMPU: mapped to VM Power User

V_VMU: mapped to VM User

If an Exchange administrator needs vCenter access to a server that lives in the Citrix folder, they would normally be added to the V_Citrix_VMU group (then giving them access to all Citrix servers), or the server would be moved to the Exchange folder (but then the Citrix administrators would lose access). We have 1000+ VMs, so we can't create AD groups for each server.

Any feedback would be appreciated.