The VCP6-DCV Certification was recently announced and there is a VCP6-DCV Delta (or What’s New) beta exam available. I have registered for the exam and will be sitting it on April 27. I will be putting together a series of posts with my notes covering the exam objectives as I prepare to sit the exam.
This post covers Section 1, Configure and Administer vSphere Security, Objective 1.1, Configure and Administer Role-based Access Control.
The vSphere Knowledge covered in this objective:
- Identify common vCenter Server privileges and roles
- Describe how permissions are applied and inherited in vCenter Server
- View/Sort/Export user and group lists
- Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
- Create/Clone/Edit vCenter Server Roles
- Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
- Determine the appropriate set of privileges for common tasks in vCenter Server
Objective 1.1 VMware Resources and Tools include:
- vSphere Installation and Setup Guide
- vSphere Security Guide
- What’s New in the VMware vSphere® 6.0 Platform
- vSphere Administration with the vSphere Client Guide
- vCenter Server, vSphere Web Client
The primary reference for this section is the vSphere Security Guide Section 4 starting on page 111.
– Identify common vCenter Server privileges and roles
A Role is a collection of privileges which can be assigned to a user or group.
Manage Roles and Privileges using the Web Client -> Home -> Roles
Common vCenter Roles:
Includes all Privileges
Includes only View Privileges
- No Access
Prohibits access to the object the Role is applied to.
- Tagging Admin <- New Role
An user or group assigned this Role can create tags, assign or unassign tags, delete tags, edit tags, create tag categories, modify tag categories, and delete tag categories.
- Several other sample roles (Resource pool administrator, Virtual machine user, VMware Consolidated Backup user, Datastore consumer, Network adminstrator, Content library administrator, and Virtual machine power user) are included which can be cloned or modified.
Privileges are access controls which can be grouped together to form a Role.
A Permission is a Role (a group of privileges) which has been assigned to a user or group and applied to a vCenter Inventory object. Permissions are assigned using the Web Client -> vCenter Object -> Manage -> Permissions
Permissions can be assigned to users or groups authenticated through Single Sign-on (SSO).
– Describe how permissions are applied and inherited in vCenter Server
Global permissions can be assigned in the Web Client -> Home -> Administration -> Global Permissions. Global permissions apply to all objects in the inventory hierarchies of the environment. If you de-select Propagate to children, the users or groups associated with the Global permission will not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
Permissions on objects in vCenter Inventory are managed using the Web Client -> Selected Object -> Manage -> Permissions
Permissions can be applied directly to the object or propagated to children.
The View Children link shows all the children the permission will apply to if the Propagate to children checkbox is selected.
If a user is assigned to more than one group and the groups are assigned different permissions on the same object the user has the combined privileges contained in the roles. Example vSphere Security Guide Section 4, page 116.
Permissions applied to a Child object override the permissions applied to the parent object. If a user is assigned the Administrator role on the vCenter object which has been set to propagate to children and the same user is assigned the No Access Role on a hosts in the vCenter inventory. The No Access Role will be applied to the host and, if set to propagate, its children. Example vSphere Security Guide Section 4, page 116.
A user role overrides a group role. For example if user is a member of a group which has the Administrator Role applied on a object and a permission as been assigned to the user with the No Access Role on the same object the user permission take precedence. Example vSphere Security Guide Section 4, page 117.
Best Practices for Roles and Permissions can be found in the vSphere Security Guide Section 4, page 125.
– View/Sort/Export user and group lists
To view Global Permissions Web Client -> Home -> Administration -> Global Permissions.
To view permissions for a specific inventory object Web Client -> Selected Object -> Manage -> Permissions.
Viewing permissions shows the User/Group, Role, and where the permission is defined – Global Permission, This object and its children, This object, or the Parent Object where the permission has been defined.
– Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
– Create/Clone/Edit vCenter Server Roles
vSphere Security Guide Section 4, page 121.
Global Roles can be created, cloned, or edited in the Web Client -> Home -> Administration -> Roles.
Manage Roles and Privileges using the Web Client -> Home -> Roles
The default Roles are Administrator, Read-only, and No access. These Roles cannot be edited or deleted, but the roles can be cloned.
– Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server
and vCenter Orchestrator. vSphere Security Guide Section 4, page 120.
Extension Permissions – Register extension, Unregister extension, Update extension.
– Determine the appropriate set of privileges for common tasks in vCenter Server
The privilege Permissions -> Modify permission is required to modify the permissions on a vCenter object.
Privileges include creating/modifying/deleting Alarms, Virtual Machines, Network, Datastores, Folders, etc.
Required privileges for common tasks can be found in the vSphere Security Guide Section 4, page 125.
A complete list of privileges can be found in the vSphere Security Guide Section 10, page 227.
This is interesting: Changes to licenses propagate to all vCenter Server systems that are linked to the same Platform Services Controller or to Platform Services Controllers in the same vCenter Single Sign-On domain, even if the user does not have privileges on all of the vCenter Server systems.
More Section Objectives in the VCP6-DCV Delta Exam Study Guide Index
I hope you found this helpful. Feel free to add anything associated with this section using the comments below. Happy studying.