A role is a collection of privileges. Roles provide a way to add all the individual privileges that are required to perform a number of tasks, such as administering a vSphere host.
Object An object is an item on which actions can be performed. vCenter Server objects are datacenters, folders, resource pools, clusters, hosts, and VMs.
Granting Privileges
Privileges are found in the vSphere Web Client. When using the Roles wizard, you are able to add new privileges. The privileges are listed in Figure 1-3.
Figure 1-3 : vCenter Server Privileges
How many privileges are there? Think of any action you have ever performed in the vCenter Client. Think about the actions you have not yet come across or used in your everyday job. Now add them up, and you will have some idea of how many privileges there are in vCenter Server. Luckily, we are able to use PowerCLI to come up with a scientific answer for this question. You can easily list all privileges available to assign to a user through vCenter Server using the Get-VIPrivilege cmdlet:
We purposely truncated the output listing due to the large number of privileges available. You can count the number of privileges available for assigning to your roles and users or groups by using the Measure-Object cmdlet:
You can also use the Get-VIPrivilege cmdlet to show only the privileges available to certain sets of objects like a host:
You can view which groups (collections of privileges) are available by using the Get-VIPrivilege cmdlet with the – PrivilegeGroup parameter, as shown here:
Creating New Roles
A number of default roles come preconfigured with the installation of vCenter Server (see Figure 1-4). By selecting a role in the vSphere Web Client, you can see the list of privileges given to that role (on the right side). Each privilege category may be expanded and collapsed to see all the privileges set for the current role.
Figure 1-4 : vCenter Server roles
You can see an overview of the predefined roles by using the Get-VIRole cmdlet, as shown here:
Now that you know that a role is a group of privileges and you’ve learned to use the Get-VIPrivilege and Get-VIRole cmdlets, we want to introduce you to New-VIRole. You can use the New-VIRole cmdlet with Get-VIPrivilege to define a new role. You can define your own group of privileges, which can later be assigned to your users. An example is shown in Listing 1-8; you can see the results in the vCenter Client, as shown in Figure 1-5.
Listing 1-8: Creating a new role
A new role can also be created at a granular level. First, choose the privileges you want to use:
Figure 1-5: New roles
And then add each of them into an array:
You can then use the array of privileges to apply your specific permissions to the new role:
Bringing In Users
Now that you have defined your roles, you can start using them. Until now, you have only been working with roles and privileges. Once you define what you want your user to be able to do, you need to add users and grant them access to the roles. You can then enable them to start using the features of the vSphere Web Client.
A role or privilege can be assigned to any of the objects within a vCenter Server. Each of the objects can be defined by different roles or privileges. Together, objects, roles, and privileges make up a permission set. Permission sets can be inherited; inheritance ensures that each object underneath a datacenter, cluster, resource pool, or folder gives the users the correct access privileges.
So it comes as no great surprise that, when adding a permission through PowerCLI, you must consider three areas:
Role The role that you will assign to the user
Principal The user or group to which you wish to assign permissions
Entity The object, folder, cluster, datacenter, or resource pool for which you would like to grant permissions to the user
In the code that follows, we grant a user (VSPHERE.local\User01) access to New Custom Role at the datacenter level:
After you’ve set up and tested individual permissions, you can export them to a readable, importable format. This eases multiple installations and the transfer of permissions to further vCenter Servers, and ensures consistency as well. We’ll show you how next.
Exporting Permissions
The script in Listing 1-9 exports all relevant information into a CSV file, which can later be used to import them back into the same or a different vCenter Server. Exporting the permissions can be a great way to satisfy a security audit or ensure the relevant departments or users have the correct permissions.
Listing 1-9: Exporting permissions
Importing Permissions
It is equally important to be able to import the permissions back into your vCenter Server. To do so, you can use the script in Listing 1-10. Understand that because of the way that permissions are created and stored in vCenter, you can only import back into the vCenter from which you exported the permissions.
Listing 1-10: Importing permissions
Configure Datacenters and Clusters
vCenter Server has a hierarchical management structure similar to that of Microsoft Active Directory. Three main containers can be added to vCenter Server:
• Datacenters
• Clusters
• Folders
Datacenters A datacenter is a logical container within vCenter Server used to store clusters, folders, and VMs; they are often named for the physical location where the hosts reside, such as “Boston” or “South West Datacenter.”
Clusters A cluster is defined as a group of like-configured computers that act in a fully redundant setup to ensure availability of applications and operating systems. A vCenter Server cluster is no different. Clusters are used in vCenter Server for three main functions: high availability, load balancing, and high-performance computing. A cluster is made up of two or more physical servers that provide resources for the hosts that are assigned to that cluster.
Folders