Table of ContentsView in Frames

Components of vCenter Server permissions

The vCenter Server recognizes permissions, not privileges. Each vCenter Server permission consists of three components.

These components are the following:

As the following diagram illustrates, you must have all three elements in order to have a permission.

Note: In this diagram, the gray boxes indicate components that exist in the vCenter Server, and the white boxes indicate components that exist in the operating system where the vCenter Server is running.

Privileges

Two kinds of privileges are associated with Virtual Storage Console for VMware vSphere:

Note: For ease of reading, this document refers to the vCenter Server privileges as native privileges, and the privileges that are defined for VSC as VSC-specific privileges. For detailed information about VSC-specific privileges, see Virtual Storage Console for VMware vSphere Advanced RBAC Configuration. For information about vCenter Server native privileges, see VMware's vSphere Security guide. At the time this document was created, that guide was online at the following site: NetApp follows the VMware recommendations for creating and using permissions.

http://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-601-security-guide.pdf

VSC tasks require both VSC-specific privileges and vCenter Server native privileges. These privileges constitute the "role" for the user. A permission can have multiple privileges.

Note: To simplify working with vCenter Server RBAC, VSC provides several standard roles that contain all the VSC-specific and native privileges that are required to perform VSC tasks.

If you change the privileges within a permission, the user that is associated with that permission should log out and then log back in to enable the updated permission.

vSphere objects

Permissions are associated with vSphere objects, such as the vCenter Server, ESXi hosts, virtual machines, datastores, datacenters, and folders. You can assign permissions to any vSphere object. Based on the permission that is assigned to a vSphere object, the vCenter Server determines who can perform which tasks on that object.

Users and groups

You can use Active Directory (or the local vCenter Server machine) to set up users and groups of users. You can then use vCenter Server permissions to grant access to these users or groups to enable them to perform specific VSC tasks.

Note: These vCenter Server permissions apply to VSC vCenter users, not to VSC administrators. By default, VSC administrators have full access to the product and do not require permissions assigned to them.

Users and groups do not have roles assigned to them. They gain access to a role by being part of a vCenter Server permission.

You can assign only one permission to a vCenter user or group. However, you can set up high-level groups, and then assign a single user to multiple groups. Doing that allows the user to have all the permissions that are provided by the different groups. In addition, using groups simplifies the management of permissions by eliminating the need to set up the same permission multiple times for individual users.