In this post we will follow the guideline from VMware VCP6-DCV blueprint
This post will include only some of the objectives and i will continue in the next post.
below are the objective for this post taking from VMware site: https://mylearn.vmware.com/mgrReg/plan.cfm?plan=64180&ui=www_cert
Objective 1.1: Configure and Administer Role-based Access Control
- Compare and contrast propagated and explicit permission assignments
- View/Sort/Export user and group lists
- Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
- Determine how permissions are applied and inherited in vCenter Server
- Create/Clone/Edit vCenter Server Roles
- Configure VMware Directory Service
- Apply a role to a User/Group and to an object or group of objects
- Change permission validation settings
- Determine the appropriate set of privileges for common tasks in vCenter Server
- Compare and contrast default system/sample roles
- Determine the correct permissions needed to integrate vCenter Server with other VMware products
Compare and contrast propagated and explicit permission assignments
If we look at VMware vSphere Security document page 114 under the topic is “Understanding Authorization in vSphere” . we can a better understanding of the authorization in vSphere .
Basically we need to understand that vSphere 6.0 allows a privileged user or a group(such as Administrator) to give other users permissions to perform tasks in following ways:
vCenter Server Permissions : The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges, that is, a role for a selected object.
Global Permissions: Global permissions are applied to a global root object that spans solutions.
Group Membership in vsphere.local Groups: The user email@example.com can perform tasks that are associated with services included with the Platform Services Controller(PSC). In addition,members of a vsphere.local group can perform the corresponding task.
ESXi Local Host Permissions: when managing a standalone ESXi host that is not managed by a vCenter Server system, you can assign one of the predefined roles to users.
View/Sort/Export user and group lists
This is kinda funny, i am not sure what question we are going to get in the exam regrading this:-)
To get to the user and group screen from vCenter >> Administration >>under SSO >> Users and groups
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
to Add/Modify/Remove permission for a user and group from vCenter inventory you will need:
- Choose the object , in the picture below we choose esx0.vshere6lab.local
- click on Manage and than click on Permission
- from there you can add (+) edit (pencil) remove (x)
Determine how permissions are applied and inherited in vCenter Server