vcenter permissions/tiers

Can I ask at what level can you set permissions in vcenter, is there a list? i.e. cluster, vcenter, host, guest, etc. Can you set them at every level?

Also can you elaborate what permissions:

Virtual machine power user (sample)

Grants a user? Is this a high risk permission? What does "sample" represent?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
In many organizations, we have worked with, they like to "mirror" permissions from the physical world to the virtual "vcenter world",

e.g. Domain Administrators, would be granted Top Level permissions to vCenter Server and ALL objects underneath.

But some organization have Domain Administrators and Virtual Administrators, which are granted ALL access to vCenter Server.

Can you expand on your last questions?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Can you elaborate on the type of "object", and the various levels of object?

I.e. whats top level - vcenter, then datacentre, then host, then virtual machine?

Or can they be more granular than that?

And I'd run a report of permissions in vCenter, and domain administrators group had the admin role, but then there was an entry:

"Virtual machine power user (sample)"

And I wondered what that permission would give someone? And what risks if an unauthorised user had that permission?
bbaoIT ConsultantCommented:

Managing VMware VirtualCenter Roles and Permissions
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
object - virtual machine

object - host

object - cluster

Top Level is the vCenter Server object, followed by Datacentre, followed by Cluster, Host, VM.

Virtual Machine (power user) is a Role which has been defined as a sample by VMware.

You would need to refer to the documentation, because it has lots of permissions.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Virtual machine power user (sample)

Datastore - Browse Rights
Global - Cancel Rights- Cancel Task
Schedule Tasks - Create, Modify, Remove, and Run
Virtual Machine - Configuration, Interaction, Snapshot Management
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if an unauthorized user had Virtual machine power user

it could

Reset, Power Off, Change virtual machine configuration
pma111Author Commented:
What about opportunities for data theft?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
They have the ability to

1. Add a new disk to the VM.
2. Copy contents to a new disk. (if they have access to the VM via RDP) (they could miss this step!)
3. Power OFF the VM.
4. Datastore browse options
5. So could then download the entire VM to their laptop, (eg any Virtual machine disk!)
6. and be off!

So Extremely High!

So if somone in your organisation, created an AD Account, and Gave them Permissions.

They could connect a laptop to your LAN with the vSphere Client installed, login to the vCenter Server using stolen AD credentials, and Download Virtual Machine Disks.

they do not need to have a laptop or computer part of your domain.

or they could do it with a browser, if using Web Client!

If you have Security and Configuration concerns of vCenter Server, you should seriously checkout

ChangeAuditor for VMware vCenter

ChangeAuditor for VMware vCenter helps you ensure the security, compliance and control of event activity and security of VMware vCenter Server by managing, auditing, reporting and alerting on all changes in real time to the platform.

With ChangeAuditor, administrators can report on, analyze and manage events and changes without the complexity and time required by native auditing or concerns over system performance. You’ll be confident knowing that your data is safe and that you’ve met the compliance demands necessary to satisfy the scrutiny of any auditor.

ChangeAuditor for VMware vCenter is freeware and included with other ChangeAuditor modules, including all trial versions.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.