Minimum privileges / permissions required for virtual machine user related tasks and assigning them to roles in VMware vCenter 4

It can be very frustrating or even confusing when dealing with privileges / permissions and roles in VMware vCenter because of hierarchical inheritance of permissions. After some point, you forget about the security and give the users more permissions than they actually need.

Least privileges required for a user to work with his/her virtual machines are listed below:

Task

Privilege

Location

Create a virtual machine

Virtual Machine.Inventory.Create (*)

Destination Folder or Datacenter

Virtual Machine.Configuration.Add New Disk (*)

Virtual Machine .Configuration.Add Existing Disk

Virtual Machine.Configuration.Raw Device

Resource.Assign Virtual Machine to Resource Pool  (*)

Destination host, cluster, or resource pool

Datastore.Allocate Space (*)

Destination datastore or datastore folder

Network.Assign Network (*)

Network

Deploy a virtual machine from template

Virtual Machine.Provisioning.Deploy Template

(plus above privileges with *, if not exist)

Destination Folder or Datacenter

Clone a virtual machine

Virtual Machine.Provisioning.Clone Virtual Machine

(plus above privileges with *, if not exist)

Destination host, cluster, or resource pool

Take a snapshot

Virtual Machine.State.Create Snapshot

Destination Folder or Virtual Machine

Datastore.Allocate Space

Destination Datastore or datastore folder

Revert to a snaphot

Virtual Machine.State.Revert to Snapshot

Destination Folder or Virtual Machine

Remove a snapshot

Virtual Machine.State.Remove Snapshot

Destination Folder or Virtual Machine

Power on / off and reset virtual machine

Virtual Machine.Interaction.Power Off

Destination Folder or Virtual Machine

Virtual Machine.Interaction.Power On

Virtual Machine.Interaction.Reset

Console interaction with virtual machine

Virtual Machine.Interaction.Console Interaction

Destination Folder or Virtual Machine

Connect / disconnect media or device

Virtual Machine.Interaction.Device Connection

Destination Folder or Virtual Machine

Install VMware tools

Virtual Machine.Interaction.Tools Install

Destination Folder or Virtual Machine

As you can see above, these privileges are assigned to different objects and related to different operations on VMware vCenter. Therefore instead of creating one role and giving all permissions to it, best way is to create one role for each specific object or operation. Here are the roles I have created for these permissions:

Role

Privilege

Location

VMUserRole

Virtual Machine.Inventory.Create

Destination Folder or Virtual Machine

Virtual Machine.Configuration.Add New Disk

Virtual Machine .Configuration.Add Existing Disk

Virtual Machine.Configuration.Raw Device

Virtual Machine.Provisioning.Deploy Template

Virtual Machine.Provisioning.Clone Virtual Machine

Virtual Machine.State.Create Snapshot

Virtual Machine.State.Revert to Snapshot

Virtual Machine.State.Remove Snapshot

Virtual Machine.Interaction.Power Off

Virtual Machine.Interaction.Power On

Virtual Machine.Interaction.Reset

Virtual Machine.Interaction.Console Interaction

Virtual Machine.Interaction.Device Connection

Virtual Machine.Interaction.Tools Install

DatastoreRole

Datastore.Allocate Space

Destination datastore or datastore folder

NetworkRole

Network.Assign Network

Network

ResourcePoolRole

Resource.Assign Virtual Machine to Resource Pool 

Destination host, cluster, or resource pool

Below you can see how these roles should be assigned to objects in VMware vSphere 4:

You can add or remove permissions to roles according to your own design. I hope this helps you to design your own roles and decide which privileges are assigned to each role.

This entry was posted in Virtualization and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *