hello and welcome to lab number 15 in this lab.
We will be doing some more work with user permissions,
will create a custom rollover V center,
and then we'll sign some permissions to objects in the inventory and then verify that the permissions work, as we expect them to.
So a couple of things
to think about right off the bat. First of all, we have to log into our Web client,
and in order to do some of these tasks,
we need to make sure that we are logged in as a single sign on administrator.
the V stare, not local
the name of the account is administrator
default password is VM where?
Well, go ahead and get log in if you log in as a regular administrator,
you can do some of these tasks, such as creating roles and assigning, but you need to be single sign on administrator
single sign on to actually use your active directory. Instance.
So what I had to do here is
create this identity source,
So I'm in the administration page, and then I under the single sign out I could go to configuration
and I can edit this source. We can see what's here.
If you're using Windows Active Directory, you simply select. Active Directory is an L DAP server
type in your domain name. You need your base
distinguished name for user's based distinguished name for groups, which in this case is the same for both.
Then I just specify the I P address or the U. R L. To my elder up server.
Port 3 89 is also standard.
And then I have to specify the administrator account within the Vienna where domain
be aware that local domain
and I've already created that configuration so that we can do this.
we can go to the users and groups
and you'll see that view sphere, not local,
So you see our administrator that's or logged in, as you can see that right there
and then we have Vienna, where not local,
which is the active directory
configuration that I have running on the
Okay, so our first task is to create a new role.
So we're gonna go back to home.
We'll go to the administration
Rules is already selected,
and the provider of the rolls
in this case is such a training because that is the name of our
V center server appliance.
and again, this particular task can be done. Has a regular administrator. You do not need to be the single sign on administrator for this particular portion, but since we're already logged in, we can go ahead and do this.
So I click the plus sign to you, create a new role,
this role is going to be called VM creator.
And now we have to select
various different privileges
from this available choices here
to make this a little bit bigger,
you can see more of that.
And so, first of all, I want to go to my data store
and I want to allow this being career to allocate space.
Since they'll need to be able to do that in order to
create the virtual hard drive.
Close that one. I go down now to network
under network. I want to be able to assign a network to the virtual machine
that that gets created by this
then under resource,
we need to be able to assign a virtual machine to a resource pool.
So we'll check that box
then under virtual machine.
I've got some subgroups here. I need to go to the configuration group,
and I want to be able to add a new disk
be able to change memory.
Okay, So close the configuration subgroup.
Now, I need to go to virtual machine
In this case, I want all of the privileges there in the interaction subgroup. Quite a few things there.
You could check these all individually. Or just check the high level box or the upper level box. And that will select everything within that group for you.
Then, under virtual machine inventory,
I want to be able to create a new machine.
Okay, so that's all the privileges that this rule will be allowed
But as you can tell,
Bly variety of different things you can
assigned to a role Very granular control here.
All right, so go ahead and click. Okay.
See, my task is running
on the right side If you're not too familiar with the Web client, you get a chance to see a little bit more of that now
and now we have our role, VM Creator.
Okay, so the roles creating now let's
to something in our inventory so we can go back
and we want to look at
to V EMS and templates.
If you recall, I created some folders
to show how you can organize some of your
So in this case, I have some V EMS in the lab. VM solder. This is where I want to make my changes.
So whatever level you select the central server appliance under the managed tab and the permissions button, you can see
what rules already been assigned here.
And I've already done some work signing rolls.
That's why there's there's some items here. V sphere, not local administrator is a default roll route will be there as well.
And then I added of administrator for the Vienna where not local domain and the user's group
In any case, I want to sign permissions to
this particular folder. So anything that goes in this folder will then inherit
the permissions if if we
have the certain Chuck box selected.
what we'll do now is at a permission
clicking the plus sign.
Let's make this window a little bit bigger here.
Okay, So now, at this point,
ah user or a group that we'd like
to work with. So we click the add button
and my domain that I want to look at is VM wear.
So these are all of the available choices.
And I've got a non privileged account
in this domain called Student,
so I can just double click student. It adds it down here we see what domain it's in. You can also click the add button if you wish,
and you can't even do a search.
So if I wanted to look for student, if I had a lot of accounts to look for or two to sort through, may be faster just to do a search.
If you select a group that you'd like to add that will show up on this second field here
can also click the check names button
and it will verify that that exact name does exist within your
So I will go ahead and click. Okay.
I conceived by default.
this user has no access.
So what I want to do,
what I could do is go through and select all these different things. Like we just saw it
when I created the role. But
since the role's already here,
I could just scroll down
and look for VM creator.
So this becomes much easier to administer larger amounts of
of users by creating the rolls
and having groups to find that what you just had to remove people from groups and they inherit
all the permissions that were assigned.
this propagate to Children check box.
We can click the View Children
and we can see that because I'm using a folder object.
The Children in this case are the
inventory items. They're in the folder.
this role and the privileges that it has will propagate to these Children
making another way. Thio very easily controlled the permissions for a large
environment of virtual machines where you've got a lot of different groupings and you can get all those organized and then signed permissions at the folder level.
Okay, so Veum Crater is our role
and we will go ahead and click. Okay,
let's have a look here.
for each beyond we can see under the managed tab that permissions button
I go the second V m. I can see the same role is
defined for Lab PM's.
I go to lab PM's by itself. I can see that at the folder level
Student is also defined.
When I was clicking it before, guess the screen just didn't refresh. I was just trying to double check that. So we can verify now that those permissions
Okay, so our next task
is we're going to assign
some permissions to one of our hosts.
So I'll go back here
11 level back and go to hosts and clusters.
And one of my hosts is ah
0.100. The other was 0.200 so under the managed have again and permissions.
I've got my My default settings are actually some of the same things. I've already made changes I've already made.
Okay, so I'll select Ally 0.200 host.
select my VM where domain
the search from previously working with this is still here. So that's why the student account came up by itself.
I'll click the add button,
and I cannot go ahead and pick the
VM creator role for the student account.
Now that gets applied to the entire host
because the propagate to Children
box was checked and we can get a confirmation of that here.