Customizing VMware user accounts to improve ESXi host security

To improve ESXi host security, you can create new VMware user accounts with specific permissions. Don’t just stick with the ESXi defaults.

VMware ESXi comes with default user accounts, but you can improve ESXi host security by creating and adding more accounts to each host. The more customized VMware user accounts you have, the more control you have over who can access your infrastructure and what permissions they have.

You can find the default VMware user accounts in the vSphere Client by selecting Local Users and Groups from the Inventory view. To create customized user accounts, you need to add the new user, then create a permissions profile -- called a role -- to associate to that user. Here’s how to create and add a new account:

  1. Start the vSphere Client and connect to the ESXi host.
  2. From the Inventory tab, select Local Users and Groups. You will see an overview of existing user accounts.
  3. Right-click on the blank space on the Local Users and Groups tab and select Add.

Figure 1
Right-click the white space to show a menu where you can add new accounts. (Click image for an enlarged view.)

  1. In the Add New User window that appears, enter the login name and password for the user you want to create. You can also specify a unique identifier (UID) for this user and one or more groups that you want to add this user to, if any.
  2. Click OK. The user will now be included in the user accounts list.

Creating ESXi roles
Now that you’ve added the VMware user account, the next step toward improving ESXi host security is to grant some permissions to that user. To understand permissions, you need to understand ESXi roles, which grant certain privileges to users.

There are three default roles that exist for ESXi host security: Administrator, Read Only and No Access. These roles cannot be modified.  

Figure 2
The Roles icon on the vSphere Client home screen gives access to existing roles. (Click image for an enlarged view.)

To assign privileges to new VMware user accounts that you’ve created, start by adding a new role from the Roles window. Click Add Role and enter the name of the new role you want to create. In the next window, you'll see a list of the available privileges. These include access to Host Profiles, scheduled tasks, alarms and more. The plus sign in front of each privilege hides specific tasks that you can activate for the selected items.

Figure 3
To define a new role, you must choose the privileges you want to assign.(Click image for an enlarged view.)

Granting permissions to ESXi roles
Now that you’ve defined the new role and added privileges, you can use it to grant permissions to a to a specific object in the vSphere Client, either to individual users or to groups.

Start by selecting Home then Inventory in the vSphere Client. Next, select the object to which you want to give your user permissions and select the Permissions tab. Right-click on the blank space in this tab and click Add Permission, which opens the Assign Permissions window. From here, click Add to select the user you've just created. Then, in the Assigned Role drop-down list, select the role that you've just created. Make sure the option Propagate to Child Objects is selected and click OK to apply the newly assigned permissions to your new account.

Creating your own VMware user accounts helps you better define which users can perform which tasks on specific ESXi objects. By controlling user accounts, you have more control over ESXi host security.

Dig Deeper on Securing a VMware environment