Manage Learn to apply best practices and optimize your operations.

All-access not the solution for vCenter security

Using VMware vCenter roles can eliminate security concerns while giving IT teams the access they need.

When it comes to security in IT, the first rule is "Trust no one." This often becomes a problem once your company gets above a certain size. If you're using VMware, it can become an issue if too many people have access to vCenter.

Tighten security in vCenter

Use vCenter roles wisely for VM security

Four steps to securing vCenter

But curing this vCenter security concern is quite easy with a bit of thought and a good design. Using vCenter roles, you can make admin user rights very granular.

When getting started with this, there are a few overall changes you should make. One really important change is to remove Local Administrators from the Global Admins role. Otherwise, anyone who has local administrator rights on the vCenter server machine has vCenter administrator rights across the entire estate.

Use the right vCenter view to apply security

Here is a simple scenario that you can use to separate rights between two admin groups, the Windows admin group and the Linux admin group, with you as the single VMware admin. It also requires that you have two Active Directory groups, one for each set of administrators. It is possible to place specific users into roles, but this complicates things, especially when you have employees coming and going. It is also considered bad practice.

Displaying the roles of users in vSphere Client
Showing the roles listed in the vSphere Client.

Within the vCenter dashboard, yellow folders are used to collect physical items, such as folders within machines. These are used to organize your logical infrastructure. The blue folders (VMs and Templates), on the other hand, can have privileges assigned to them. Privileges flow down through the tree from the Data Center level.

To create Windows and Linux admin roles, go to Home>Administration>Roles. You will see several roles already created. Clicking on one reveals the users that hold that role.

Create a new role

Notice the sample roles that vCenter offers. To create a new role, clone the Power User sample role. First, right-click and press Clone. A new role called Clone of Virtual machine power user (sample) will appear. It is considered best practice to clone the roles, rather than use the existing ones. Doing this means you can always start over if necessary. Rename the role (right-click, rename). Call it WintelAdmins. Repeat the procedure and call that one LinuxAdmins.

Creating roles for Windows and Linux administrators
Create the Windows and Linux administrator roles.

Next, go back to vCenter, into the VMs and Templates view. Right-click on your Data Center, then New Folder. Name it Wintel. Repeat the process for Linux. Arrange your machines into the correct folders by dragging and dropping.

Use folders for easier administration

Add permissions to Windows admins

Adding permissions to Windows administrators.

You can now apply rights to these folders. Go back to main window, VMs and Templates. Click on your Wintel folder so that its machines are in the left-hand pane and click the Permissions tab. Add the Wintel admins by right-clicking on Add Permissions

Assign the correct rights

Click Add, then select the domain for the group to add. Then, type in the first few letters of the Wintel admin group. To make life easier, select Show Groups first before you click Search. If you know the domain and group, you can enter in the bottom of the page in the form domain\group. On the left, go to the drop-down Assign Role list and select the Wintel Admins group you created earlier.

Dig Deeper on Securing a VMware environment

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.