Lets Design, Implement and do Administration of ESX3

Virtualization with VMWare Infrastructure 3.0

VirtualCenter Security Model

Posted by Preetam on February 21, 2007

Now that we have installed virtual center, next steps would be assigning permission to all those people who are responsible for managing managing VMware Infra 3.0. In order to do that we need to understand how the permissioning works. There are two elements in this, First is ESX host and other is Virtual Center. Permissioning on both these element is seperate and cannot be mix with eachother. For simple reason, one is Linux and other is Windows.

Security Model explained.

Let take user Greg, who works in first line support and need maximum rights to shutdown VM in case it hangs or user request.

Greg ——->Needs to Reset VM’s ——->To achieve this we need to assign permission

[ User ]                [ROLE ]                                      [Priviliges]


  1. Needs to Reset VM’s = TASK [ROLE]
  2. In order to do the TASK=Need to assign Permissions
  3. USER

All three makes Permissions in VMWare and in all security model. However to little bit more to it, permission is also a combination of user account, Role,priviliges and position in the inventory to which the user/role applies.

Now Greg can be restricted to do Datacenter, VM. We can decide whether we need same permissions to flown across the datacenter or to specific folder. This is called as propogations of permissions. VMware has come with pre-defined roles, these roles are can been seen when you assign permission. You have the option of selecting the pre-defined roles or create one for yourself. But these pre-defined roles are again differ from ESX and Virtual Center perspective.

Predefined ESX Servers Roles:

  1. No Access
  2. Read-Only
  3. Administrator

Predefined Virtual Center Roles:+ Predefined ESX Servers Roles

  1. VM Administrator
  2. Datacenter Administrator
  3. Virtual Machine Power User
  4. Virtual Machine User
  5. Resource Pool Administrator

But customs roles can be created for both ESX aswell VC.



Virtual Center Security Model:

Virtual center security model includes accounts created in Windows which could be local or domain account. This account is again assigned role which is again decided at what heirarchy you apply this role. Default permission for VC is assigned to local Administrators groups of Windows 2003 server at the top level in the inventry.

ESX Security Model:

ESX security model includes user account created on ESX Server which is basically a linux user account. This account is again assigned role which is again decided at what heirarchy you apply this role. By default vpxuser and root are already created and assigned to administrator roles. Vpxuser is used for interacting ESX server. Root is admin account and performs task  assigned by virtual center.


Step-by-Step process of assigning permissions:

Select object on which you wish to apply permisison.

Expand the inventory

Right the click object, select add permission

Select role to be select from predefined list or select custom roles

Select if you wish to propogate the permission to child objects

Select user (Local/Domain) user

Add the user to users or group fields

 In order to create custom roles, go to the admin tab, right anywhere

Name the role and select priviliges you wish to give it to the role

There is lot in permissioning, I will update that later on


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: