Authentication and authorization govern access.
vCenter Single Sign-On
supports authentication, which means it determines whether a user can log in to vSphere components at all. Each user must also be authorized to view or manipulate vSphere objects.
vSphere supports several different authorization mechanisms, discussed in
Understanding Authorization in vSphere
. This section focuses on how the
vCenter Server
permission model works and how to perform user management tasks.
vCenter Server
allows fine-grained control over authorization with permissions and roles. When you assign a permission to an object in the
vCenter Server
object hierarchy, you specify which user or group has which privileges on that object. To specify the privileges, you use roles, which are sets of privileges.
Initially, only the administrator user for the vCenter Single Sign-On domain is authorized to log in to the
vCenter Server
system. The default domain is vsphere.local and the default administrator is administrator@vsphere.local. You can change the default domain during installation of vSphere.
The administrator user can proceed as follows:
Add an identity source in which users and groups are defined to
vCenter Single Sign-On
. See the
vSphere Authentication
documentation.
Give privileges to a user or group by selecting an object such as a virtual machine or a
vCenter Server
system and assigning a role on that object for the user or group.
Understanding Authorization in vSphere
vSphere supports several models for determining whether a user is allowed to perform a task. Group membership in a vCenter Single Sign-On group decides what you are allowed to do. Your role on an object or your global permission determines whether you are allowed to perform other tasks.
Managing Permissions for vCenter Components
A permission is set on an object in the vCenter object hierarchy. Each permission associates the object with a group or user and the group's or user's access role. For example, you can select a virtual machine object, add one permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to User 2.
Global Permissions
Global permissions are applied to a global root object that spans solutions. In an on-premises SDDC, global permissions might span both
vCenter Server
and vRealize Orchestrator. But for any vSphere SDDC, global permissions apply to global objects such as tags and content libraries.
Using Roles to Assign Privileges
A role is a predefined set of privileges. Privileges define rights to perform actions and read properties. For example, the Virtual Machine Administrator role allows a user to read and change virtual machine attributes.
Best Practices for Roles and Permissions
Follow best practices for roles and permissions to maximize the security and manageability of your
vCenter Server
environment.
Required Privileges for Common Tasks
Many tasks require permissions on multiple objects in the inventory. If the user who attempts to perform the task only has privileges on one object, the task cannot complete successfully.
