VMware Cloud Community
Tigerstolly
Enthusiast
Enthusiast
‎07-15-2010 06:46 AM

Delegated rights for Network team - NO rights for anyone else

Hi,

We are running in a secure multinetwork environment, with networks in different security domains.

Is it possible to be in a situation where the Network team can be given rights to manage vSwitches (either standard or dv) but deny access to everyone else ? Including the Datacenter Administrators ? And obviously the Network team will be denied the ability to do anything else.

We only want the Network team to be able to create / change portgroups, setup vswitches etc. The Server guys (even though they manage all other aspects) need to be denied access. This is to eliminate the possibility of a single individual being able to take a VM from a high security zone and attach it to the management network, and therefore be able to transfer sensitive data from the production network to the management network.

Thanks in advance !

0 Kudos
3 Replies
saravanraj
Contributor
Contributor
‎07-18-2010 09:11 PM

Cisco Nexus 1000v exactly offers this functionality.

The Network team gets to manage the networking functionality on the ESX and will not have any other rights on the vCenter in terms of powering on VMs etc.

Also the Server team will not have any rights on the Network functionality.

Nexus 1000V comes with a 60 day evaluation period.

For further details on Cisco Nexus 1000V, please go to :

http://www.cisco.com/go/1000v

For the Cisco Nexus 1000v community hosted at cisco.com, please go to :

https://www.myciscocommunity.com/community/products/nexus1000v?view=overview

Saravan Rajendran

Cisco Systems Inc.

saravan@cisco.com

p0wertje
Hot Shot
Hot Shot
‎07-19-2010 12:32 AM

Hello,

Yes i think you can.

Under vCenter you can create/assign roles.

It is under home, administration, roles. (assuming you use vSphere 4.0)

If you define 2 roles there, 1 for network and 1 for the admins, you can assign permission to the roles.

After that go to home, inventory, hosts and clusters, right click on your vcenter, or datacenter , or cluster etc. and click add permission.

You can add users and groups there and assign them your newly created roles.

Be careful with the permissions, it is very easy to lock yourself out.

Cheers,
p0wertje | VCIX6-NV | JNCIS-ENT | vExpert
Please kudo helpful posts and mark the thread as solved if solved
0 Kudos
Tigerstolly
Enthusiast
Enthusiast
‎07-20-2010 01:23 PM

OK i can see how you can do that. But what will stop the Datacenter admin who sets up these permissions from later on giving himself the network permissions ?

Handing the rights out via roles is easy, stopping one person from being able to manage both seems to be harder, unless you use the Nexus switches as has been said.

0 Kudos