I bet everything went great in your VMware infrastructure, until the company hired a junior admin to help you with the work. Now that’s not a bad thing, but you can’t just give him/her full permissions to your vCenter from the start, because it needs to learn the infrastructure first and get familiar with it. If adding a user to your VMware vCenter infrastructure is a challenge, no worry, I will show you how is done in just a second.
The vCenter server that I will use here is part of a local Microsoft Active Directory domain, so the new user will be a domain user. If you don’t have an AD environment, that’s no problem, you just create the junior admin account on the vCenter server machine; I will show you that too, later. First let’s start by creating the user account in Active Directory, so right-click your OU and choose New > User. Complete the boxes and click Next.
Now choose a password for the junior admin to use and finish the wizard. The account is now created are ready to be used.
If you don’t have an AD environment just create the user account on your vCenter server. Right click Computer, choose Manage, and expand Configuration > Local Users and Groups. Create a new user account by right clicking the Users object and choose New user. On the New user box complete the requirements and clear User must change password at next logon. Click Create.
Now open your vCenter client console and connect to the vCenter server using an administrator account. Once the console is fully opened click the vCenter server name then go to the Permissions tab.
Here right-click and choose Add Permission.
On the Assign Permissions window click the Add button.
Choose your domain from the Domain list and now all the users and groups from the AD domain should appear under Users and Groups. Select the junior admin account we created before and click the Add button. If you want to add another user or group, just select it and click the Add button again. When you’re done click OK.
Back to the Assign Permissions window, we have our junior admin account. The last step is to assign the necessary permissions to this account, and you can do this from the Assign Role box. For the sake of this example just leave it to Read only. If you want this permissions to propagate on all your ESX hosts, folders, Pools etc, leave the Propagate to Child Objects box enabled. Click OK when you’re done.
The account is added in the Permissions tab on the vCenter server, with the rights we just configured.
Now let’s see from a client perspective. Log in to a client computer using the junior admin account and connect to your vCenter server using the same account. I will use a Windows 7 machine on which I installed the vSphere client.
Since the user has read only permissions on the vCenter server, he can see all the vCenter infrastructure. Right click on one of the objects (ESX server, virtual pool, folder etc) and you should see that access is denied for the user to shut down, reboot, create new virtual machine etc.
If you want to be more granular with permissions, you can add the user account on a server level, then the user will only be able to see that specific server. More about vCenter permissions in a future post.
Want content like this delivered right to your