vcenter permissions/tiers

Can I ask at what level can you set permissions in vcenter, is there a list? i.e. cluster, vcenter, host, guest, etc. Can you set them at every level?

Also can you elaborate what permissions:

Virtual machine power user (sample)

Grants a user? Is this a high risk permission? What does "sample" represent?
Who is Participating?
Andrew Hancock (VMware vExpert / EE MVE^2)Connect With a Mentor VMware and Virtualization ConsultantCommented:
In many organizations, we have worked with, they like to "mirror" permissions from the physical world to the virtual "vcenter world",

e.g. Domain Administrators, would be granted Top Level permissions to vCenter Server and ALL objects underneath.

But some organization have Domain Administrators and Virtual Administrators, which are granted ALL access to vCenter Server.

Can you expand on your last questions?
pma111Author Commented:
Can you elaborate on the type of "object", and the various levels of object?

I.e. whats top level - vcenter, then datacentre, then host, then virtual machine?

Or can they be more granular than that?

And I'd run a report of permissions in vCenter, and domain administrators group had the admin role, but then there was an entry:

"Virtual machine power user (sample)"

And I wondered what that permission would give someone? And what risks if an unauthorised user had that permission?
bbaoConnect With a Mentor IT ConsultantCommented:

Managing VMware VirtualCenter Roles and Permissions
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
object - virtual machine

object - host

object - cluster

Top Level is the vCenter Server object, followed by Datacentre, followed by Cluster, Host, VM.

Virtual Machine (power user) is a Role which has been defined as a sample by VMware.

You would need to refer to the documentation, because it has lots of permissions.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Virtual machine power user (sample)

Datastore - Browse Rights
Global - Cancel Rights- Cancel Task
Schedule Tasks - Create, Modify, Remove, and Run
Virtual Machine - Configuration, Interaction, Snapshot Management
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if an unauthorized user had Virtual machine power user

it could

Reset, Power Off, Change virtual machine configuration
pma111Author Commented:
What about opportunities for data theft?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
They have the ability to

1. Add a new disk to the VM.
2. Copy contents to a new disk. (if they have access to the VM via RDP) (they could miss this step!)
3. Power OFF the VM.
4. Datastore browse options
5. So could then download the entire VM to their laptop, (eg any Virtual machine disk!)
6. and be off!

So Extremely High!

So if somone in your organisation, created an AD Account, and Gave them Permissions.

They could connect a laptop to your LAN with the vSphere Client installed, login to the vCenter Server using stolen AD credentials, and Download Virtual Machine Disks.

they do not need to have a laptop or computer part of your domain.

or they could do it with a browser, if using Web Client!

If you have Security and Configuration concerns of vCenter Server, you should seriously checkout

ChangeAuditor for VMware vCenter

ChangeAuditor for VMware vCenter helps you ensure the security, compliance and control of event activity and security of VMware vCenter Server by managing, auditing, reporting and alerting on all changes in real time to the platform.

With ChangeAuditor, administrators can report on, analyze and manage events and changes without the complexity and time required by native auditing or concerns over system performance. You’ll be confident knowing that your data is safe and that you’ve met the compliance demands necessary to satisfy the scrutiny of any auditor.

ChangeAuditor for VMware vCenter is freeware and included with other ChangeAuditor modules, including all trial versions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.