vCenter roles and Permission can be very difficult to sort out. I hope with this post you will help to understand and grasp this concept better.
Here are the VMware best practices for for Role and Permissions.
VMware recommends the following best practices when configuring roles and permissions in your vCenter Server environment:
- Where possible, grant permissions to groups rather than individual users.
- Grant permissions only where needed. Using the minimum number of permissions makes it easier to understand and manage your permissions structure.
- If you assign a restrictive role to a group, check that the group does not contain the Administrator user or other users with administrative privileges. Otherwise, you could unintentionally restrict administrators’ privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
- Use folders to group objects to correspond to the differing permissions you want to grant for them.
- Use caution when granting a permission at the root vCenter Server level. Users with permissions at the root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.
- In most cases, enable propagation on permissions. This ensures that when new objects are inserted in to the inventory hierarchy, they inherit permissions and are accessible to users.
- Use the No Access role to masks specific areas of the hierarchy that you don’t want particular users to have access to.
This was taken from VMware vSphere 5.1 Documentation
Here is the list of default roles:
No Access (ESXi/vCenter)
- Cannot view or change object
- Tabs in vSphere client appear, but contain no content
- Mainly used to revoke permissions that may otherwise be inherited.
Read Only (ESXi/vCenter)
- View state and details about object
- Can view all tabs in vSphere client with exception of the console tab
- Cannot perform any actions through menus or toolbars
- All privileges for all objects.
- Can add, remove, and set access rights and privileges for all vCenter Server users and all objects within the virtual infrastructure.
Virtual Machine Power User (vCenter)
- A set of privileges to allow users to interact with and make changes to hardware of the virtual machines
- Also allowed to manage snapshots.
- All privileges for schedule tasks.
- Selected privileges for global items, datastore and vim privileges groups.
- No privileges for folder, datacenter, network, host, resource, alarms, sessions, performance and permissions privileges groups.
- Normally granted on a folder that contains VMs or on individual VMs
Virtual Machine User (vCenter)
- Allows the user to interact with the VMs’ console, insert media, and perform power operations.
- No privileges to make changes to hardware.
- All privileges to schedule tasks.
- Selected privileges on global items
- No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups.
- Usually granted on a folder that contains virtual machines or on individual virtual machines.
Resource Pool Administrator (vCenter)
- Allows user to create child resource pools and modify configuration of the children, but cannot modify configuration for the pool or cluster where the permission was granted.
- User can grant permissions to child resource pools and assign VMs to the parent or the child.
- All privileges for folder, virtual machine, alarms, and scheduled task privileges groups.
- Selected privileges for resource and permissions privileges groups.
- No privileges for datacenter, network, host, sessions, or performance privileges groups.
- Additional privileges must be granted on virtual machines and datastores to allow provisioning of new virtual machines.
- Usually granted on a cluster or on a resource pool
Datastore Consumer (vCenter)
- Allows a user to consume space on the datastore that the role was granted.
- Things like creating a virtual disk or creating a snapshot require the user to have additional virtual machine privileges.
- Usually granted on a datastore or folder of datastores.
Network Consumer (vCenter)
- Allows user to assign VMs or hosts to networks (only if the appropriate privileges are granted on the VMs/hosts).
- Usually granted on a network or folder of networks.
The above table was taken from mwpreston.net.
Knowing what these default roles can accomplish can help you secure your enviroment for Compliance and/or a design requirement that was give by Stakeholder.