The VCP6-DCV Certification was recently announced and there is a VCP6-DCV Delta (or What’s New) beta exam available. I have registered for the exam and will be sitting it on April 27. I will be putting together a series of posts with my notes covering the exam objectives as I prepare to sit the exam.
This post covers Section 1, Configure and Administer vSphere Security, Objective 1.1, Configure and Administer Role-based Access Control.
The vSphere Knowledge covered in this objective:
Identify common vCenter Server privileges and roles
Describe how permissions are applied and inherited in vCenter Server
View/Sort/Export user and group lists
Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
Create/Clone/Edit vCenter Server Roles
Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
Determine the appropriate set of privileges for common tasks in vCenter Server
The primary reference for this section is the vSphere Security Guide Section 4 starting on page 111.
– Identify common vCenter Server privileges and roles
A Role is a collection of privileges which can be assigned to a user or group.
Manage Roles and Privileges using the Web Client -> Home -> Roles
Common vCenter Roles:
Administrator Includes all Privileges
Read-only Includes only View Privileges
No Access Prohibits access to the object the Role is applied to.
Tagging Admin <- New Role An user or group assigned this Role can create tags, assign or unassign tags, delete tags, edit tags, create tag categories, modify tag categories, and delete tag categories.
Several other sample roles (Resource pool administrator, Virtual machine user, VMware Consolidated Backup user, Datastore consumer, Network adminstrator, Content library administrator, and Virtual machine power user) are included which can be cloned or modified.
Privileges are access controls which can be grouped together to form a Role.
A Permission is a Role (a group of privileges) which has been assigned to a user or group and applied to a vCenter Inventory object. Permissions are assigned using the Web Client -> vCenter Object -> Manage -> Permissions
Permissions can be assigned to users or groups authenticated through Single Sign-on (SSO).
From Web Client -> Home -> Roles selecting a Role and selecting Usage will display where the Role has been applied and for which users/groups.
– Describe how permissions are applied and inherited in vCenter Server
Global permissions can be assigned in the Web Client -> Home -> Administration -> Global Permissions. Global permissions apply to all objects in the inventory hierarchies of the environment. If you de-select Propagate to children, the users or groups associated with the Global permission will not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles.
Permissions on objects in vCenter Inventory are managed using the Web Client -> Selected Object -> Manage -> Permissions
Permissions can be applied directly to the object or propagated to children.
The View Children link shows all the children the permission will apply to if the Propagate to children checkbox is selected.
If a user is assigned to more than one group and the groups are assigned different permissions on the same object the user has the combined privileges contained in the roles. Example vSphere Security Guide Section 4, page 116.
Permissions applied to a Child object override the permissions applied to the parent object. If a user is assigned the Administrator role on the vCenter object which has been set to propagate to children and the same user is assigned the No Access Role on a hosts in the vCenter inventory. The No Access Role will be applied to the host and, if set to propagate, its children. Example vSphere Security Guide Section 4, page 116.
A user role overrides a group role. For example if user is a member of a group which has the Administrator Role applied on a object and a permission as been assigned to the user with the No Access Role on the same object the user permission take precedence. Example vSphere Security Guide Section 4, page 117.
Best Practices for Roles and Permissions can be found in the vSphere Security Guide Section 4, page 125.
– View/Sort/Export user and group lists
To view Global Permissions Web Client -> Home -> Administration -> Global Permissions.
To view permissions for a specific inventory object Web Client -> Selected Object -> Manage -> Permissions.
Viewing permissions shows the User/Group, Role, and where the permission is defined – Global Permission, This object and its children, This object, or the Parent Object where the permission has been defined.
A list of User/Group Roles can be exported to a CSV file or copied to the Clipboard.
Tip: Ctrl + Click copies the selected permissions to the clipboard.
– Add/Modify/Remove permissions for users and groups on vCenter Server inventory objects
Permissions are added/modified/removed on inventory objects in the Web Client -> Selected Object -> Manage -> Permissions
Global Roles can be created, cloned, or edited in the Web Client -> Home -> Administration -> Roles.
Manage Roles and Privileges using the Web Client -> Home -> Roles
The default Roles are Administrator, Read-only, and No access. These Roles cannot be edited or deleted, but the roles can be cloned.
To clone a Role, select the Role and select the Clone role action icon.
– Determine the correct roles/privileges needed to integrate vCenter Server with other VMware products
Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server
and vCenter Orchestrator. vSphere Security Guide Section 4, page 120.
– Determine the appropriate set of privileges for common tasks in vCenter Server
The privilege Permissions -> Modify permission is required to modify the permissions on a vCenter object.
Privileges include creating/modifying/deleting Alarms, Virtual Machines, Network, Datastores, Folders, etc.
Required privileges for common tasks can be found in the vSphere Security Guide Section 4, page 125.
A complete list of privileges can be found in the vSphere Security Guide Section 10, page 227.
This is interesting: Changes to licenses propagate to all vCenter Server systems that are linked to the same Platform Services Controller or to Platform Services Controllers in the same vCenter Single Sign-On domain, even if the user does not have privileges on all of the vCenter Server systems.
I think I will be following your post about this test I already request the authorization, do you know which is the last day to schedule this test: 2V0-621D
hi Hersey
you are going to take this test right?
2V0-621D
thanks
Karlo,
Yes that is correct. It is the Delta exam for VCP6.
Thanks for stopping by.
Hersey
Cool vHersey
I think I will be following your post about this test I already request the authorization, do you know which is the last day to schedule this test: 2V0-621D
thanks