«

»

Apr 03

VCP6-DV Delta Study – Section 1 – Objective 1.1

The VCP6-DCV Certification was recently announced and there is a VCP6-DCV Delta (or What’s New) beta exam available. I have registered for the exam and will be sitting it on April 27. I will be putting together a series of posts with my notes covering the exam objectives as I prepare to sit the exam.

This post covers Section 1, Configure and Administer vSphere Security, Objective 1.1, Configure and Administer Role-based Access Control.

The vSphere Knowledge covered in this objective:

  • Identify common vCenter Server privileges and roles
  • Describe how permissions are applied and inherited in vCenter Server
  • View/Sort/Export user and group lists
  • Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
  • Create/Clone/Edit vCenter Server Roles
  • Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
  • Determine the appropriate set of privileges for common tasks in vCenter Server

Objective 1.1 VMware Resources and Tools include:

The primary reference for this section is the vSphere Security Guide Section 4 starting on page 111.


– Identify common vCenter Server privileges and roles

A Role is a collection of privileges which can be assigned to a user or group.

Manage Roles and Privileges using the Web Client -> Home -> Roles

Common vCenter Roles:

  • Administrator
    Includes all Privileges
  • Read-only
    Includes only View Privileges
  • No Access
    Prohibits access to the object the Role is applied to.
  • Tagging Admin <- New Role
    An user or group assigned this Role can create tags, assign or unassign tags, delete tags, edit tags, create tag categories, modify tag categories, and delete tag categories.
  • Several other sample roles (Resource pool administrator, Virtual machine user, VMware Consolidated Backup user, Datastore consumer, Network adminstrator, Content library administrator, and Virtual machine power user) are included which can be cloned or modified.

Privileges are access controls which can be grouped together to form a Role.

A Permission is a Role (a group of privileges) which has been assigned to a user or group and applied to a vCenter Inventory object. Permissions are assigned using the Web Client -> vCenter Object -> Manage -> Permissions

Permissions can be assigned to users or groups authenticated through Single Sign-on (SSO).

From Web Client -> Home -> Roles selecting a Role and selecting Usage will display where the Role has been applied and for which users/groups.
role-usage

– Describe how permissions are applied and inherited in vCenter Server

Global permissions can be assigned in the Web Client -> Home -> Administration -> Global Permissions. Global permissions apply to all objects in the inventory hierarchies of the environment. If you de-select Propagate to children, the users or groups associated with the Global permission will not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.

Permissions on objects in vCenter Inventory are managed using the Web Client -> Selected Object -> Manage -> Permissions

Permissions can be applied directly to the object or propagated to children.
propagate-permissions
The View Children link shows all the children the permission will apply to if the Propagate to children checkbox is selected.
view-children

If a user is assigned to more than one group and the groups are assigned different permissions on the same object the user has the combined privileges contained in the roles. Example vSphere Security Guide Section 4, page 116.

Permissions applied to a Child object override the permissions applied to the parent object. If a user is assigned the Administrator role on the vCenter object which has been set to propagate to children and the same user is assigned the No Access Role on a hosts in the vCenter inventory. The No Access Role will be applied to the host and, if set to propagate, its children. Example vSphere Security Guide Section 4, page 116.

A user role overrides a group role. For example if user is a member of a group which has the Administrator Role applied on a object and a permission as been assigned to the user with the No Access Role on the same object the user permission take precedence. Example vSphere Security Guide Section 4, page 117.

Best Practices for Roles and Permissions can be found in the vSphere Security Guide Section 4, page 125.

– View/Sort/Export user and group lists
To view Global Permissions Web Client -> Home -> Administration -> Global Permissions.

To view permissions for a specific inventory object Web Client -> Selected Object -> Manage -> Permissions.

Viewing permissions shows the User/Group, Role, and where the permission is defined – Global Permission, This object and its children, This object, or the Parent Object where the permission has been defined.

A list of User/Group Roles can be exported to a CSV file or copied to the Clipboard.
export-permissions
Tip: Ctrl + Click copies the selected permissions to the clipboard.

– Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects

Permissions are added/modified/removed on inventory objects in the Web Client -> Selected Object -> Manage -> Permissions
addmodifydelete

– Create/Clone/Edit vCenter Server Roles

vSphere Security Guide Section 4, page 121.

Global Roles can be created, cloned, or edited in the Web Client -> Home -> Administration -> Roles.

Manage Roles and Privileges using the Web Client -> Home -> Roles

The default Roles are Administrator, Read-only, and No access. These Roles cannot be edited or deleted, but the roles can be cloned.

To clone a Role, select the Role and select the Clone role action icon.
clone-admin-role

– Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products

Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server
and vCenter Orchestrator. vSphere Security Guide Section 4, page 120.

Extension Permissions – Register extension, Unregister extension, Update extension.

– Determine the appropriate set of privileges for common tasks in vCenter Server

The privilege Permissions -> Modify permission is required to modify the permissions on a vCenter object.
Privileges include creating/modifying/deleting Alarms, Virtual Machines, Network, Datastores, Folders, etc.

Required privileges for common tasks can be found in the vSphere Security Guide Section 4, page 125.

A complete list of privileges can be found in the vSphere Security Guide Section 10, page 227.

This is interesting: Changes to licenses propagate to all vCenter Server systems that are linked to the same Platform Services Controller or to Platform Services Controllers in the same vCenter Single Sign-On domain, even if the user does not have privileges on all of the vCenter Server systems.


More Section Objectives in the VCP6-DCV Delta Exam Study Guide Index

I hope you found this helpful. Feel free to add anything associated with this section using the comments below. Happy studying.

About the author

vHersey

Hersey Cartwright is an IT professional with extensive experience designing, implementing, managing, and supporting technologies that improve business processes. Hersey is Solutions Architect for SimpliVity covering Virginia, Washington DC, and Maryland. He holds the VMware Certified Design Expert (VCDX-DV #128) certification. Hersey actively participates in the VMware community and was awarded the VMware vExpert title in 2016, 2015, 2014, 2013, and 2012. He enjoys working with, teaching, and writing about virtualization and other data center technologies. Follow Hersey on Twitter @herseyc

3 comments

  1. karlo

    hi Hersey

    you are going to take this test right?

    2V0-621D

    thanks

    1. vHersey

      Karlo,

      Yes that is correct. It is the Delta exam for VCP6.

      Thanks for stopping by.
      Hersey

      1. karlo

        Cool vHersey

        I think I will be following your post about this test I already request the authorization, do you know which is the last day to schedule this test: 2V0-621D

        thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

fifteen + two =