Thursday, August 9, 2012

Prevent Admins from Doing Stuipd Things in vCenter

Role Based Access Controls, or RBAC is very useful in vCenter. I know many of you simply have your own vCenter server, it's only you and you aren't good at sharing. We all have kindergarten issues.
But it the real world you try and fork off as much of your own work on other people in your organization as you can. In this vein, you now have to realize that not everyoen is as smart or careful as you.
RBAC provides a granular role for each set of users. Think of the roles you may have:
- Close Support (Help Desk)
- System Admins
- Application Admins
- SuperUsers
- Root Admins
Close support is your "on the ground" people that have great proceedures that you have written up so that they can fix 75% of the basic problems without escalating to 2nd level tech support. (You did make proceedure guides for all your basic processes, right?) You may want close support to:
 - View server status
 - View server performance
 - Reboot a server
 - Power on/off a server
But you probably don't want them changing the number of vCPUs, changing memory, mounting other vmdk file to the server, deleteing the server, or creating a WoW server on your network.
System Admins may be assigned to all VMs at a hardware level. But for data security reasons, you may not want them adding existing disks to a server. They can create new VMs, but maybe only from a template. Creating from a template keep them from allocating too much space, or connecting a VM to the wrong network (Port group/VLAN). Using Templates and Customization Specifications, you can require them to provision new VMs only from templates and ask only for a few items when deploying the template. The rest would be hard coded into the template and the specification.
Edit Role_2011-12-06_16-31-12.jpg

To do this you need a couple of roles created. We'll call them:
  • CustomizationAccess
  • DeployTemplate
For Deploy template we need several permissions.
  • Datastore
    • Browse Datastore
    • Allocate Space (for vSphere 4.0)
  • Virtual Machine
    • Configuration
      • Add new disk
    • Interaction
      • Select ALL options
    • Inventory

  • Create
  • Provisioning

    • Customize
    • Deploy Template
  • Resource
    • Assign Virtual Machine to Resource Pool
  • For CustomizationAccess you will need
    • Virtual machine
      • Provisioning
        • Modify customization specification
        • Read customization specification
    That is IT. Now you will assign the CustomizationAccess role at the vCenter level. That's top of the top. So go to Host and Clusters and right click on Your vCenter server name it will have the icon below next to it.

    Choose Add Permission and select the CustomizationAccess role. Choose the group or groups that you want to have access and add the permission.
    Now we have to give that group access to their resources. We will assume the group is called Tech. Assign the role DeployTemplate at the following locations.
    • Hosts and Clusters
      • Datacenter
        • Resource Pool - Tech
    • VMs and Templates
      • Datacenter
        • Folder - Tech
    • Datastores
      • Datacenter
        • Folder - Tech
    This will give them access to the resources that they need to deploy the VMs.

    Pro Tip:

    If you have DRS enabled on the cluster, but you have it set to MANUAL, then the VM will NOT be able to be powered up by the Tech Group. It will NOT show an error, it will just silently fail and stay off.

    No comments:

    Post a Comment