In our previous articles, we covered the explained what Roles, Privileges, and Permissions are in VMware ESX. VMware ESX Server comes with a number of administrative security roles already defined, by default. However, those default roles aren't going to fit the needs of every company or every network administrator. In this article, we will find out how to create custom VMware ESX Security.
Do you really know what remote vendors and privileged users are doing on your servers?
ObserveIT acts like a security camera on your servers!
Record & replay every remote user action as if you are looking over their shoulders.
Supports all session protocols: RDP, Citrix, VMware, SSH and more.
Default Roles in VMware ESX
From our article on VMware ESX Roles, Permissions & Privileges, we know that roles are groupings of these privileges for easy assignment. There are a number of default roles that are preconfigured groups of various assignments for different purposes. Here are the default routes and I think you will understand how these are used:
- No access user
- Read only user
- Virtual machine user
- Virtual machine power user
- Resource pool admin
- Datacenter admin
- Virtual machine admin
What if these default roles don't fit your needs? What if you want to assign a role to a certain user and all that user needs is the ability to reboot a virtual guest machine? There isn't a role for that but what if you wanted to assign the ability for all 10 users on the helpdesk to be able to reboot the helpdesk server if it was hung, without the ability for them to take control of the server or even power on the server. How would you do that? Let's find out...
Create a Custom Role in VMware ESX with the Virtual Infrastructure Client
To create a custom role, you have to move out of the typical ESX server and virtual machine server inventory and click on the Admin button, like this:
Once inside the Admin section, look at the different tabs. By default, you will be on the Roles tab. This is the tab where you are able to edit existing roles and create custom roles.
To create a custom role, you click the Add Role button. You will see the Add Role dialog box where you can enter a name for your role, like this:
Next, we need to define what the role can do. To do this, use the check boxes below the name of the role. In our case, we only want users who belong to this role to be able to reset the Helpdesk server. This privilege is located under Virtual Machine -> Interaction -> Reset. Simply check this box, like this:
Then, click OK and your role should be in the list:
Role with Users or Groups to create Permissions
Now, you want to take this role, group it with a user or group of users, create a permissions that is assigned to a server, virtual guest, data center, resource pool, or more.
To do this, go back to the level that you want to assign the role in your inventory.
Right-click on a server and click Add Permission.
In the box that appears, select the Role on the right that you want to apply. In our case, select the HelpDeskServerReset Role.
Next, click on the Add button.
Add the Helpdesk services group, such as I did here:
Now, click OK and you should see the combination of the role and the user group that is shown, like this:
At this point, if you click OK, the permission will be assigned.
To test this, all you need to do is to go into the VI Client, login as a member of that HelpDesk group, and the only thing you should see is the single HelpDesk Server. On the HelpDesk server, there will only be a single option, to reset the server.
The ability to use Windows AD users and groups makes assigning and maintaining roles much easier. Back in the Roles Administrative interface, you can even clone existing roles to make the creation process easier. The ability to create & apply custom roles is a major benefit of VMware ESX Server. At some point, you will certainly have to create custom roles and apply this. By having this article, I hope you have a heads start and good understanding of how it works.