VMWARE VSPHERE 8.

0
INSTALL, CONFIGURE, MANAGE

Lab 6: Users, Groups and Permissions

Document Version: 2023-03-08

Copyright © 2023 Network Development Group, Inc.

www.netdevgroup.com

NETLAB+ is a registered trademark of Network Development Group, Inc.

VMware is a registered trademark of VMware, Inc.

216BLab 6: Users, Groups and Permissions

Contents
Introduction .............................................................................................................................................. 3
Objective ................................................................................................................................................... 3
Lab Topology ............................................................................................................................................. 4
Lab Settings ............................................................................................................................................... 5
1 Prepare the Lab Environment ........................................................................................................... 6
2 View Active Directory Users ............................................................................................................ 14
3 Assign Root-Level Global Permission to an Active Directory User ................................................... 17
4 Add an ESXi Host to Active Directory and Assign Object Permission to an Active Directory User ... 19
5 Verify that the cladmin User Can Access Content Library ............................................................... 23
6 Verify that the studentadmin User Can Perform Virtual Machine Actions...................................... 27

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 2

216BLab 6: Users, Groups and Permissions

Introduction

In this lab, you will view the list of Active Directory (AD) users to verify that the ad.vclass.local users
exist, and assign roles and permissions so that an AD user can perform functions in vCenter Server.

In vCenter 8, users, groups, and permissions are used to control access to the vCenter Server and its
resources.

• Users: Individual accounts that are created and managed within c. Each user is assigned a
unique username and password and can be a member of one or more groups.
• Groups: Collections of users that are used to manage permissions. Permissions can be assigned
to groups, rather than individual users, making it easier to manage access for a large number of
users.
• Permissions: Used to control access to the vCenter Server and its resources. They determine
what actions a user or group can perform within the vCenter environment. For example, a user
with the appropriate permissions may be able to create and manage Virtual Machines (VMs),
while another user may only be able to view the existing VMs.
• Roles: Used to control access and define the actions that users can perform within the virtual
environment. Roles are assigned to users or groups, and the permissions and privileges
associated with a role determine what a user can do within vCenter Server. There are several
predefined roles in vCenter Server, such as Administrator, No Access, Read Only, etc., and
administrators can also create custom roles to meet their specific requirements. By assigning
appropriate roles to users, administrators can ensure that users have the right level of access
and permissions to perform their tasks, while limiting their ability to cause unintended changes
or disruptions.

In vCenter 8, permissions can be assigned at different levels of the vCenter Server hierarchy, such as
the vCenter Server level, the Datacenter level, and the VM level. This allows for granular control over
access to resources.

In addition, vCenter 8 also supports the use of Role-based access control (RBAC) where permissions are
assigned to predefined roles and users are assigned to those roles. This allows for a more efficient way
to manage access control, by not having to create custom permissions every time a new user is added.

Objective

• View AD users
• Assign root-level global permission to an AD user
• Assign Object Permission to an AD user
• Verify that the cladmin user can access the Content Library
• Verify that the studentadmin user can create a VM

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 3

216BLab 6: Users, Groups and Permissions

Lab Topology

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 4

216BLab 6: Users, Groups and Permissions

Lab Settings

The information in the table below will be needed to complete the lab. The task sections further below
provide details on the use of this information.

Virtual Machine IP Address Account Password

sa-student eth0: 172.20.10.80 sysadmin NDGlabpass123!

sa-vcsa eth0: 172.20.10.94 [email protected] NDGlabpass123!

sa-esxi-01 eth0: 172.20.10.51 root NDGlabpass123!

sa-esxi-02 eth0: 172.20.10.52 root NDGlabpass123!

sa-aio eth0: 172.20.10.10 sysadmin NDGlabpass123!

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 5

216BLab 6: Users, Groups and Permissions

1 Prepare the Lab Environment

In this task, you will utilize the techniques learned in Lab 5. You will join sa-vcsa.vclass.local to the
ad.vclass.local domain, and set ad.vclass.local as the default identity source.

1. Launch the sa-student VM to access the graphical login screen.

To launch the console window for a VM, either click on the machine’s
graphic image from the topology page, or click on the machine’s
respective tab from the Navigator.

2. Launch the Mozilla Firefox web browser by either clicking on the icon found in the bottom toolbar
or by navigating to Start Menu > Internet > Firefox Web Browser.

3. In Firefox, click LAUNCH VSPHERE CLIENT.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 6

216BLab 6: Users, Groups and Permissions

If the VMware Getting Started webpage does not load, please wait an
additional 3 - 5 minutes, and refresh the page to continue. This is
because the vCenter Server Appliance is still booting up and requires
extra time to initialize.

4. To log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the “browser-OS combination” warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

5. From the main menu, select Administration.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 7

216BLab 6: Users, Groups and Permissions

6. In the Navigator, under Single Sign On, select Configuration.

7. In the Configuration pane, select Identity Provider and click Active Directory Domain. Verify that
the sa-vcsa.vclass.local node is selected. Click JOIN AD.

8. In Join Active Directory Domain window, enter ad.vclass.local for the Domain, administrator for the
Username, and NDGlabpass123! for the Password. Click JOIN.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 8

216BLab 6: Users, Groups and Permissions

For this lab, AD has been preconfigured on the SA-AIO machine.

9. Verify that sa-vcsa.vclass.local has successfully joined the ad.vclass.local AD. Click Acknowledge on
the pop-up dialog box.

10. Restart the vCenter Server Appliance using the vCenter Server Appliance Management Interface.

a. Open a new Firefox browser and click [Mgmt] sa-vcsa.

Port 5480 is the default port used to access the vCenter Server
Appliance Web User Interface. The VMware vCenter Server Appliance
Management Interface (VAMI) is used to perform administrative tasks
such as changing the host name, network configurations, and
applying updates and patches.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 9

216BLab 6: Users, Groups and Permissions

b. In the Username text field, type [email protected] and in the Password text field, type
NDGlabpass123!. Click LOGIN.

c. From the Actions drop-down menu in the top right corner, select Reboot.

d. In the System Reboot window, click YES.

11. Go back to the vSphere Client tab, and refresh the screen periodically until the vSphere Client login
page appears.

The reboot process takes 5 - 10 minutes to complete. During this time, the
vSphere Client is unavailable. You will not be able to add ad.vclass.local as an
identity source until the reboot process is complete.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 10

216BLab 6: Users, Groups and Permissions

12. Log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the browser-OS combination warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

13. From the main menu, select Administration.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 11

216BLab 6: Users, Groups and Permissions

14. In the Navigator, under Single Sign On, select Configuration.

15. In the Configuration pane, select Identity Provider and click Identity Sources. Notice the
vclass.local and localos domains appear as identity sources.

16. In the Identify Sources pane, click ADD.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 12

216BLab 6: Users, Groups and Permissions

17. In the Add Identity Source window, verify that Active Directory (Integrated Windows
Authentication) is selected. Verify that AD.VCLASS.LOCAL is listed as the Domain name. Ensure
that Use machine account it selected, and click ADD.

18. In the Identity Source window, verify that AD.VCLASS.LOCAL is listed as an identity source. Select
the AD.VCLASS.LOCAL, and click SET AS DEFAULT.

19. In the Set Default Identity Source window, click OK.

20. Leave the vSphere Client open and continue to the next task.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 13

216BLab 6: Users, Groups and Permissions

2 View Active Directory Users

In this task, you will view the list of AD users and confirm that the studentadmin and cladmin single
sign-on accounts exist.

It is good practice to review AD users in vCenter because it helps ensure that only authorized users
have access to the virtual environment and that user permissions are configured correctly.

• Security: Reviewing AD users helps prevent unauthorized access to the virtual environment and
helps ensure that sensitive data and systems are protected.
• Compliance: Regularly reviewing AD users can help ensure that security and compliance
policies are being followed and that user access is in line with regulatory requirements.
• Best Practices: Regularly reviewing AD users helps identify and remove inactive or unused
accounts, reducing the attack surface and improving the overall security posture.
• Auditing: Reviewing AD users can help with auditing and compliance reporting, as
administrators can easily see who has access to the virtual environment and what actions they
can perform.

By regularly reviewing AD users in vCenter, administrators can help ensure that their virtual
environment is secure, compliant, and running efficiently, improving the reliability and performance of
their virtualized infrastructure.

1. From the main menu, select Administration.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 14

216BLab 6: Users, Groups and Permissions

2. In the Navigator, under Single Sign On, select Users and Groups.

3. In the Users and Groups pane, on the Users tab, verify that AD.VCLASS.LOCAL is selected from the
drop-down menu.

4. In the AD.VCLASS.LOCAL domain, you should see the studentadmin and cladmin users.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 15

216BLab 6: Users, Groups and Permissions

You may need to scroll through the Users window to verify that both
studentadmin and cladmin are listed.

5. Leave the vSphere Client open, and continue to the next task.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 16

216BLab 6: Users, Groups and Permissions

3 Assign Root-Level Global Permission to an Active Directory User

In this task, you will grant global permission to cladmin to administer content libraries.

Content libraries are located directly under the global root object. You will assign the Content Library
Administrator role to [email protected] at the global root object. This role gives the cladmin user
administrator rights for all content libraries only.

Assigning the cladmin user to only administer content libraries in vCenter can provide a more secure
and controlled environment. By only allowing this user to manage content libraries, you can limit their
access to other areas of the vCenter environment that they do not need to access. This can help
prevent accidental changes or misconfigurations in other areas of the environment.

It can also help separate the responsibilities of different users and teams. For example, if a team is
responsible for managing content libraries, it makes sense to assign a user specifically to that team to
handle the content library management, while other users are responsible for other aspects of the
environment. This can make it easier to identify who is responsible for different tasks and to
troubleshoot any issues that may arise.

Furthermore, it can help in auditing and compliance requirements. By having a separate user for
content libraries management, it is easier to track who has access and performed actions on the
content libraries, which can be helpful for compliance and regulatory audits.

Overall, assigning the cladmin user to only administer content libraries in vCenter can provide a more
secure and organized environment by limiting user access, separating responsibilities, and providing a
clear audit trail.

1. In the Navigator, navigate to Access Control > Global Permissions.

2. In the Global Permissions pane, click ADD.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 17

216BLab 6: Users, Groups and Permissions

3. In the Add Permission window, from the drop-down Domain menu, select AD.VCLASS.LOCAL. Type
cla and select cladmin for the User/Group. From the Role drop-down menu, select Content library
administrator (sample). Check the Propagate to children box, and Click OK.

Ensure that you select AD.VCLASS.LOCAL and not vclass.local for the domain.

4. Verify that AD.VCLASS.LOCAL\cladmin appears in the list, is assigned the Content Library
Administrator (sample) role, and is assigned global permission at the global root object.

5. Leave the vSphere Client open and continue to the next task.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 18

216BLab 6: Users, Groups and Permissions

4 Add an ESXi Host to Active Directory and Assign Object Permission to an Active
Directory User

In this task, you will assign permission at the vCenter level to the studentadmin user. This permission
will propagate to the child objects of vCenter.

Adding an object permission to the studentadmin user in vCenter can provide more granular control
over the access and actions that the user is able to perform within the vCenter environment. Object
permissions in vCenter allow you to specify the specific actions that a user or group can perform on a
particular object.

For example, if the studentadmin user is responsible for managing a specific set of VMs, by adding an
object permission to the user, you can ensure that they are only able to perform the necessary actions
on those VMs, such as starting or stopping them, and not on other VMs in the environment.

By adding an object permission to the studentadmin user in vCenter, you can also help limit the
potential for accidental changes or misconfigurations. It also helps in providing a more organized way
of managing access and responsibilities.

Additionally, it can be helpful in auditing and compliance requirements. By having a separate user for
studentadmin with specific object permissions, it is easier to track who has access and performed
actions on the specific object, which can be helpful for compliance and regulatory audits.

Overall, adding an object permission to the studentadmin user in vCenter can provide more granular
control over access and actions, limit potential for accidental changes, and provide a clear audit trail.

1. In Firefox, launch a new tab. Click to open the [Client] sa-esxi-01 VMware Host Client.

If the Warning: Potential Security Risk Ahead page appears, click Advanced,
and Accept the Risk and Continue.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 19

216BLab 6: Users, Groups and Permissions

2. On the VMWARE Host Client page, type root for the Username and NDGlabpass123! for the
Password. Click LOGIN.

If the Help us improve the VMware Host Client pop-up window appears, you
have the option to Join the VMware Customer Experience Improvement
Program (CEIP) or not join. For this task, leave the default, and click OK.

3. In the Navigator, click on the Manage tab. In the sa-esxi-01.netlab.local – Manage window, click on
Security & users, Authentication, and Join domain.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 20

216BLab 6: Users, Groups and Permissions

4. In the Join Domain window, type ad.vclass.local for the Domain name, type administrator for the User
name, type NDGlabpass123! for the Password, and click JOIN DOMAIN.

5. Monitor the Recent tasks pane, and wait for the task to complete.

6. On the sa-esxi-01.vclass.local web client window, you will notice that Active Directory enabled has a
status of Yes, which means that you have successfully enabled Active Directory on the sa-esxi-01
host.

7. Repeat steps 1 through 8, and add sa-esxi-02.vclass.local to the ad.vclass.local domain.

8. Go back to the vSphere Client sa-vcsa.vclass.local.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 21

216BLab 6: Users, Groups and Permissions

9. From the main menu, select Inventory.

10. On the Hosts and Clusters tab, expand sa-vcsa.vclass.local and ICM-Datacenter. Select sa-esxi-
01.vclass.local.

11. In the sa-esxi-01.vclass.local pane, select the Permissions tab, and click ADD.

12. In the Add Permission window, from the Domain drop-down menu, select AD.VCLASS.LOCAL. Type
student and select studentadmin for the User/Group. From the Role drop-down menu, change the
role to Virtual machine user (sample). Select Propagate to children and click OK.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 22

216BLab 6: Users, Groups and Permissions

Ensure that you select AD.VCLASS.LOCAL and not vclass.local for the domain.

13. Verify that AD.VCLASS.LOCAL\studentadmin appears in the list, is assigned the Virtual machine
user (sample) role, and is Defined In This object and its children.

14. Logout of the vSphere Clienty and continue to the next task.

5 Verify that the cladmin User Can Access Content Library

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 23
216BLab 6: Users, Groups and Permissions

In this task, you will verify that [email protected] can access only the Content Library pane. This
user does not have access to administrative tasks such as creating VMs.

1. Log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the “browser-OS combination” warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

2. Verify you are logged in as [email protected].

3. From the main menu, select Content Libraries.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 24

216BLab 6: Users, Groups and Permissions

4. In the Content Libraries pane, verify that you have the correct privileges to CREATE a content
library, but do not create a content library at this time.

You will create and administer content libraries in a later lab.

5. From the main menu, select Inventory.

6. On the Hosts and Clusters tab, expand sa-vcsa.vclass.local. Right-click on ICM-Datacenter and look
at the Actions that are grayed out.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 25

216BLab 6: Users, Groups and Permissions

Actions in the ICM-Datacenter object may be grayed out for several reasons.
One possible reason is that the user does not have the necessary permissions
to access or modify them.

As cladmin, you cannot perform administrative tasks, such as adding hosts,

creating clusters, or creating VMs. This is because cladmin does not have
access to complete administrative tasks.

7. Logout of the vSphere Client, and continue to the next task.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 26

216BLab 6: Users, Groups and Permissions

6 Verify that the studentadmin User Can Perform Virtual Machine Actions

In this task, you will verify that [email protected] can only use VMs. This user does not
have access to administrative tasks such as creating VMs, or any other administrative task.

The Virtual Machine User (sample) permission is a role that allows a user to perform various actions on
VMs within a vCenter Inventory. This role has a limited set of permissions compared to the
Administrator role, such as:

• Powering on and off a VM

• Resetting a VM
• Connecting to the console of a VM

It is worth noting that the exact set of permissions included with the Virtual Machine User role can be
customized and modified by a vCenter Administrator.

1. Log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the “browser-OS combination” warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

2. Verify you are logged in as [email protected].

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 27

216BLab 6: Users, Groups and Permissions

3. From the main menu, select Inventory.

4. On the Hosts and Clusters tab, expand sa-vcsa.vclass.local, ICM-Datacenter, and sa-esxi-
01.vclass.local. Select sa-vcsa.vclass.local. Notice that studentadmin does not have privileges to
view sa-vcsa.vclass.local object.

5. Select ICM-Datacenter. Notice that studentadmin does not have privileges to view ICM-Datacenter
object.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 28

216BLab 6: Users, Groups and Permissions

6. Select sa-esxi-01.vclass.local. Notice that you can view the sa-esxi-01 object.

7. Expand and right-click on sa-esxi-01.vclass.local. Notice all the Actions grayed out. The
studentadmin account does not have access to modify any settings of sa-esxi-01.vclass.local.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 29

216BLab 6: Users, Groups and Permissions

Notice the studentadmin account cannot create new VMs, add networking, or
assign licenses.

8. Right-click on LinuxCLI-01 and select Power. Notice the Actions that are available.

The studentadmin account has been granted permissions to only use the VMs
on the host sa-esxi-01. This account does not have permission to make
modifications or changes to the settings of the VMs that reside on this host.
This restriction is likely in place to ensure that the VMs on sa-esxi-01 are not
accidentally or intentionally modified, which could cause them to malfunction
or become unstable. Additionally, it may be to prevent accounts with the
Virtual Machine User (sample) permission from making changes that would
negatively impact other administrators or the host itself.

9. Logout of the vSphere Client.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 30

216BLab 6: Users, Groups and Permissions

10. Log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the “browser-OS combination” warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

11. From the main menu, select Inventory.

12. On the Hosts and Clusters tab, expand sa-vcsa.vclass.local and ICM-Datacenter. Select sa-esxi-
01.vclass.local.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 31

216BLab 6: Users, Groups and Permissions

13. In the sa-esxi-01.vclass.local pane, select the Permissions tab. Select the AD\studentadmin
account and click EDIT.

14. In the Change Role window, change the Role in the drop-down menu to Administrator. Click OK.

Changing the studentadmin account user role to Administrator in vSphere

would grant the account full access to all the features and functions of the
vSphere platform, including the ability to create, modify, and delete VMs,
configure network and storage settings, and perform other advanced tasks.

This would give the studentadmin account more flexibility and control over the
virtual environment, and would allow them to perform more advanced tasks
and experiments.

However, this also would increase the risk of misconfigurations or accidental

changes that could cause the virtual environment to become unstable or
unavailable. This decision should be taken after careful consideration of the
needs of the environment and the potential risks involved.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 32

216BLab 6: Users, Groups and Permissions

15. Verify that AD.VCLASS.LOCAL\studentadmin appears in the list, is assigned the Administrator Role,
and is Defined In This object and its children.

16. Logout of the vSphere Client.

17. Log in to the vCenter Server Appliance, enter [email protected] for the username and
NDGlabpass123! for the password. Click LOGIN.

You may ignore the “browser-OS combination” warning message

presented on the VMware vCenter Single Sign-On page and continue
moving forward with the lab.

18. Verify you are logged in as [email protected].

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 33
216BLab 6: Users, Groups and Permissions

19. From the main menu, select Inventory.

20. On the Hosts and Clusters tab, expand sa-vcsa.vclass.local, ICM-Datacenter, and sa-esxi-
01.vclass.local. Select sa-vcsa.vclass.local. Notice that studentadmin still does not have privileges
to view sa-vcsa.vclass.local object.

21. Select ICM-Datacenter. Notice that studentadmin still does not have privileges to view ICM-
Datacenter object.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 34

216BLab 6: Users, Groups and Permissions

22. Select sa-esxi-01.vclass.local. Notice that you can still view the sa-esxi-01 object.

23. Right-click and expand sa-esxi-01.vclass.local and notice that you now have access to make
changes on the sa-esxi-01.vclass.local host.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 35

216BLab 6: Users, Groups and Permissions

24. Right-click on LinuxCLI-01 and select Power. Notice the Actions that are available.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 36

216BLab 6: Users, Groups and Permissions

It is important to remember that when the studentadmin account was given

administrative access to the sa-esxi-01.vclass.local object, this access is only
valid for that specific object. To give the studentadmin access to other objects
in the environment, such as other VMs or hosts, the permissions on the VCSA
itself must be modified. This can be done by editing the user role for the
studentadmin account in the vSphere Client or by using PowerCLI to change
the permissions on the VCSA object. It is important to be cautious when
making changes to the permissions on the VCSA object, as this can have a
significant impact on the overall security and stability of the virtual
environment.

In vSphere, roles and permissions are used to control access to vSphere objects
and their associated actions. Roles are collections of privileges that can be
assigned to users and groups to control their access to vSphere objects. Each
role is associated with a set of privileges that determine the actions that can
be performed on an object.

vSphere includes a set of predefined roles that can be used to assign

permissions to users and groups. These roles include:

• Administrator: has full control over all vSphere objects

• Read-only: can only view vSphere objects and their properties, but
cannot make changes
• No access: no access to vSphere objects and their properties

In addition to the predefined roles, vSphere allows administrators to create

custom roles with a specific set of privileges to suit their organization's needs.

vSphere also allows for the use of object-level permissions, which allows
setting permission for an individual object rather than for an entire
datacenter. This can be useful for situations where you want to give a user
access to a specific VM, but not to other VMs in the same datacenter.

Overall, roles and permissions in vSphere provide a flexible and granular

means of controlling access to vSphere objects and their associated actions,
allowing administrators to secure the environment while providing
appropriate access to the users.

25. The lab is now complete; you may end your reservation.

3/13/2023 Copyright © 2023 Network Development Group, Inc. www.netdevgroup.com Page 37