Restrict User or Group from accessing Roles and Permissions on vSphere

Hi there VMware Experts,

I would like to create an admin group with the following tow restrictions:

1)Not to be able to open the console on VMs

I have found that the open console is under Interaction tree.
Checking the “Console interaction” checkbox will also block any connection attempt via a VNC client?


2)Not to be able to open and edit Roles, Permissions and Local Users and Group Permission in order to
be restricted from changing the “open console restriction”

How should I block a user or group from changing Roles and Permissions?
mamelasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
1. Create a custom role, with the option - Console Interaction Removed (tick removed).

2. Only Administrators can change roles, so make them a non Administrator.

See the samples included.
0
mamelasAuthor Commented:
Hi there Andrew,

Please clarify me the following:

If I create a custom role and check "All Privileges" and tick remove the "Console Interaction"
will that role be same as Administrator?

I mean that if a custom role have access to everything, will also be seen from vSphere as
administrator? (having the ability to change roles and permissions?)
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Roles are assigned to groups or users.

Role A - Administrator - User A

Role B - Read only - User B  (no console access)

At present you have assigned all your users to Admin roles.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mamelasAuthor Commented:
OK,

So a custom Role (lets name it Remote Users) with all privileges checked will be assumed from the vSphere as administrator since it has all privileges?

Or only users that are registered to Administrator Group will have access to change permissions and roles??
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You select a Role and assign it to a user or user group.

This Role is Administrator (default), and many assign this role to ALL users - wrognly!

If you create a Custom Role with ALL Checked - that's an Administrator!

Best thing to do is experiement, create a new role, assign to a new group, and add a new users (not your account, test account)
0
mamelasAuthor Commented:
The above are noted with Thanks.

If you create a Custom Role with ALL Checked - that's an Administrator!
I understand that the pre-defined "Read-only role" is a restricted read-only role and therefore users under this group cannot change the Permissions or Roles.

Now, assuming that I have a user that  I want to:
-give access to almost everything
-but restrict him from accessing the console and from changing the Roles and Permissions

Is there any checkbox under "All Privileges" that restricts that User from changing the Roles and Permissions??
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You will need to create a user-defined role, or custom role, with the features that you require.

The setting is called Permissions.

If they do not have Permissions enabled, they cannot modify permission modify role, or re-assign, role permission.

So you could CLONE the Administrator Role, and then deselect Permissions, and Interact with Console!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mamelasAuthor Commented:
But how that user will be restricted from accessing/changing permissions and roles? just because he will belong to a custom role and not under administrator role?

For example there is an option to restrict a user for powering on or off the VM.
Is there any restriction for accessing the Roles page or Permissions Tab??
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
But how that user will be restricted from accessing/changing permissions and roles? just because he will belong to a custom role and not under administrator role?

Correct. When you add Permissions to a user to an object in vCenter Server, you also assign them a role. As the user is not an Administrator, the user only has access to the permissions that have been assigned in the role.

For example there is an option to restrict a user for powering on or off the VM.

Yes. now can you find it? Have you looked at the Roles, and what options are available ?

Is there any restriction for accessing the Roles page or Permissions Tab??

Does not matter, because they will not have permissions to do anything.
0
mamelasAuthor Commented:
So please confirm:

Role A - User A - Administrator Group (this user has access to everything and can also access the Roles,Users,Groups and make changes

Role B (custom - all privilages checked) - User B - Custom Group (this user has access to everything but cannot change Roles,Users or Groups since he does not belong to administrator's Group)

Is the above example correct??
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Correct.

Test and try it, you'll not break anything....
0
mamelasAuthor Commented:
A++ , Thanks you so much
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.