When it comes to security in IT, the first rule is "Trust no one." This often becomes a problem once your company gets above a certain size. If you're using VMware, it can become an issue if too many people have access to vCenter.
Tighten security in vCenter
Use vCenter roles wisely for VM security
Four steps to
But curing this vCenter security concern is quite easy with a bit of thought and a good design. Using vCenter roles, you can make admin user rights very granular.
When getting started with this, there are a few overall changes you should make. One really important change is to remove Local Administrators from the Global Admins role. Otherwise, anyone who has local administrator rights on the vCenter server machine has vCenter administrator rights across the entire estate.
Use the right vCenter view to apply security
Here is a simple scenario that you can use to separate rights between two admin groups, the Windows admin group and the Linux admin group, with you as the single VMware admin. It also requires that you have two Active Directory groups, one for each set of administrators. It is possible to place specific users into roles, but this complicates things, especially when you have employees coming and going. It is also considered bad practice.
Within the vCenter dashboard, yellow folders are used to collect physical items, such as folders within machines. These are used to organize your logical infrastructure. The blue folders (VMs and Templates), on the other hand, can have privileges assigned to them. Privileges flow down through the tree from the Data Center level.
To create Windows and Linux admin roles, go to Home>Administration>Roles. You will see several roles already created. Clicking on one reveals the users that hold that role.
Create a new role
Notice the sample roles that vCenter offers. To create a new role, clone the Power User sample role. First, right-click and press Clone. A new role called Clone of Virtual machine power user (sample) will appear. It is considered best practice to clone the roles, rather than use the existing ones. Doing this means you can always start over if necessary. Rename the role (right-click, rename). Call it WintelAdmins. Repeat the procedure and call that one LinuxAdmins.
Next, go back to vCenter, into the VMs and Templates view. Right-click on your Data Center, then New Folder. Name it Wintel. Repeat the process for Linux. Arrange your machines into the correct folders by dragging and dropping.
Use folders for easier administration
You can now apply rights to these folders. Go back to main window, VMs and Templates. Click on your Wintel folder so that its machines are in the left-hand pane and click the Permissions tab. Add the Wintel admins by right-clicking on Add Permissions
Assign the correct rights
Click Add, then select the domain for the group to add. Then, type in the first few letters of the Wintel admin group. To make life easier, select Show Groups first before you click Search. If you know the domain and group, you can enter in the bottom of the page in the form domain\group. On the left, go to the drop-down Assign Role list and select the Wintel Admins group you created earlier.
This was first published in December 2013