Tip

All-access not the solution for vCenter security

When it comes to security in IT, the first rule is "Trust no one." This often becomes a problem once your company gets above a certain size. If you're using VMware, it can become an issue if too many people have access to vCenter.

Tighten security in vCenter

Use vCenter roles wisely for VM security

Four steps to

    Requires Free Membership to View

But curing this vCenter security concern is quite easy with a bit of thought and a good design. Using vCenter roles, you can make admin user rights very granular.

When getting started with this, there are a few overall changes you should make. One really important change is to remove Local Administrators from the Global Admins role. Otherwise, anyone who has local administrator rights on the vCenter server machine has vCenter administrator rights across the entire estate.

Use the right vCenter view to apply security

Here is a simple scenario that you can use to separate rights between two admin groups, the Windows admin group and the Linux admin group, with you as the single VMware admin. It also requires that you have two Active Directory groups, one for each set of administrators. It is possible to place specific users into roles, but this complicates things, especially when you have employees coming and going. It is also considered bad practice.

Showing the roles listed in the vSphere Client.

Within the vCenter dashboard, yellow folders are used to collect physical items, such as folders within machines. These are used to organize your logical infrastructure. The blue folders (VMs and Templates), on the other hand, can have privileges assigned to them. Privileges flow down through the tree from the Data Center level.

To create Windows and Linux admin roles, go to Home>Administration>Roles. You will see several roles already created. Clicking on one reveals the users that hold that role.

Create a new role

Notice the sample roles that vCenter offers. To create a new role, clone the Power User sample role. First, right-click and press Clone. A new role called Clone of Virtual machine power user (sample) will appear. It is considered best practice to clone the roles, rather than use the existing ones. Doing this means you can always start over if necessary. Rename the role (right-click, rename). Call it WintelAdmins. Repeat the procedure and call that one LinuxAdmins.

Create the Windows and Linux administrator roles.

Next, go back to vCenter, into the VMs and Templates view. Right-click on your Data Center, then New Folder. Name it Wintel. Repeat the process for Linux. Arrange your machines into the correct folders by dragging and dropping.

Use folders for easier administration

Adding permissions to Windows administrators.

You can now apply rights to these folders. Go back to main window, VMs and Templates. Click on your Wintel folder so that its machines are in the left-hand pane and click the Permissions tab. Add the Wintel admins by right-clicking on Add Permissions

Assign the correct rights

Click Add, then select the domain for the group to add. Then, type in the first few letters of the Wintel admin group. To make life easier, select Show Groups first before you click Search. If you know the domain and group, you can enter in the bottom of the page in the form domain\group. On the left, go to the drop-down Assign Role list and select the Wintel Admins group you created earlier.

This was first published in December 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.