Lab 15 Part 1 - User Permissions
Video Activity
Lab 15 part 1. User Permissions This lab discusses user permissions. Participants will learn step by step instructions in this lab-based class on how to do the following: Create a custom role for vCenter Assign permissions to objects in the inventory
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
Lab 15 part 1. User Permissions This lab discusses user permissions. Participants will learn step by step instructions in this lab-based class on how to do the following:
-
Create a custom role for vCenter
-
Assign permissions to objects in the inventory
Video Transcription
00:04
hello and welcome to lab number 15 in this lab.
00:07
We will be doing some more work with user permissions,
00:11
will create a custom rollover V center,
00:14
and then we'll sign some permissions to objects in the inventory and then verify that the permissions work, as we expect them to.
00:22
So a couple of things
00:24
to think about right off the bat. First of all, we have to log into our Web client,
00:30
and in order to do some of these tasks,
00:35
we need to make sure that we are logged in as a single sign on administrator.
00:39
And by default.
00:42
That would be
00:43
the V stare, not local
00:46
domain.
00:47
And
00:49
the name of the account is administrator
00:55
default password is VM where?
00:58
Well, go ahead and get log in if you log in as a regular administrator,
01:03
you can do some of these tasks, such as creating roles and assigning, but you need to be single sign on administrator
01:10
in order to
01:11
configure
01:12
single sign on to actually use your active directory. Instance.
01:19
So what I had to do here is
01:21
create this identity source,
01:23
So I'm in the administration page, and then I under the single sign out I could go to configuration
01:30
and I can edit this source. We can see what's here.
01:37
If you're using Windows Active Directory, you simply select. Active Directory is an L DAP server
01:42
type in your domain name. You need your base
01:46
distinguished name for user's based distinguished name for groups, which in this case is the same for both.
01:52
Then I just specify the I P address or the U. R L. To my elder up server.
01:56
Port 3 89 is also standard.
01:59
And then I have to specify the administrator account within the Vienna where domain
02:05
be aware that local domain
02:07
and I've already created that configuration so that we can do this.
02:12
Once that's done,
02:13
we can go to the users and groups
02:15
and you'll see that view sphere, not local,
02:19
does have some
02:21
predefined accounts.
02:23
So you see our administrator that's or logged in, as you can see that right there
02:30
and then we have Vienna, where not local,
02:32
which is the active directory
02:35
configuration that I have running on the
02:38
2012 server.
02:42
Okay, so our first task is to create a new role.
02:46
So we're gonna go back to home.
02:49
We'll go to the administration
02:51
button
02:53
and we go to rolls.
02:57
Rules is already selected,
03:00
and the provider of the rolls
03:02
in this case is such a training because that is the name of our
03:07
V center server appliance.
03:12
Okay, so, um,
03:14
and again, this particular task can be done. Has a regular administrator. You do not need to be the single sign on administrator for this particular portion, but since we're already logged in, we can go ahead and do this.
03:24
So I click the plus sign to you, create a new role,
03:29
and
03:30
this role is going to be called VM creator.
03:36
And now we have to select
03:39
various different privileges
03:43
from this available choices here
03:45
to make this a little bit bigger,
03:46
you can see more of that.
03:52
Okay.
03:53
And so, first of all, I want to go to my data store
03:58
privilege,
04:00
open that one up,
04:00
and I want to allow this being career to allocate space.
04:05
Since they'll need to be able to do that in order to
04:09
create the virtual hard drive.
04:13
Close that one. I go down now to network
04:16
under network. I want to be able to assign a network to the virtual machine
04:21
that that gets created by this
04:24
by this role,
04:26
then under resource,
04:30
we need to be able to assign a virtual machine to a resource pool.
04:35
So we'll check that box
04:41
then under virtual machine.
04:46
I've got some subgroups here. I need to go to the configuration group,
04:51
and I want to be able to add a new disk
04:56
and remove device
04:59
and
05:00
be able to change memory.
05:03
Okay, So close the configuration subgroup.
05:05
Now, I need to go to virtual machine
05:10
interaction.
05:14
In this case, I want all of the privileges there in the interaction subgroup. Quite a few things there.
05:19
You could check these all individually. Or just check the high level box or the upper level box. And that will select everything within that group for you.
05:30
Then, under virtual machine inventory,
05:33
I want to be able to create a new machine.
05:38
Okay, so that's all the privileges that this rule will be allowed
05:42
to your lies.
05:44
But as you can tell,
05:45
there are quite a
05:47
Bly variety of different things you can
05:49
assigned to a role Very granular control here.
05:55
All right, so go ahead and click. Okay.
05:58
See, my task is running
06:00
on the right side If you're not too familiar with the Web client, you get a chance to see a little bit more of that now
06:05
and now we have our role, VM Creator.
06:11
Okay, so the roles creating now let's
06:15
assigned this role
06:16
to something in our inventory so we can go back
06:23
and we want to look at
06:27
RV center
06:30
and then we go
06:31
to V EMS and templates.
06:33
If you recall, I created some folders
06:36
in my data center
06:40
to show how you can organize some of your
06:44
virtual machines.
06:45
So in this case, I have some V EMS in the lab. VM solder. This is where I want to make my changes.
06:50
So whatever level you select the central server appliance under the managed tab and the permissions button, you can see
06:59
what rules already been assigned here.
07:00
And I've already done some work signing rolls.
07:05
That's why there's there's some items here. V sphere, not local administrator is a default roll route will be there as well.
07:14
And then I added of administrator for the Vienna where not local domain and the user's group
07:18
as he read on Lee.
07:20
In any case, I want to sign permissions to
07:25
this particular folder. So anything that goes in this folder will then inherit
07:30
the permissions if if we
07:33
have the certain Chuck box selected.
07:36
Okay, so
07:39
what we'll do now is at a permission
07:42
clicking the plus sign.
07:45
Let's make this window a little bit bigger here.
07:47
Okay, So now, at this point,
07:50
we need to select
07:53
ah user or a group that we'd like
07:56
to work with. So we click the add button
08:00
and my domain that I want to look at is VM wear.
08:03
So these are all of the available choices.
08:07
Good.
08:09
And I've got a non privileged account
08:13
in this domain called Student,
08:16
so I can just double click student. It adds it down here we see what domain it's in. You can also click the add button if you wish,
08:24
and you can't even do a search.
08:26
So if I wanted to look for student, if I had a lot of accounts to look for or two to sort through, may be faster just to do a search.
08:33
If you select a group that you'd like to add that will show up on this second field here
08:39
can also click the check names button
08:41
and it will verify that that exact name does exist within your
08:46
domain.
08:48
So I will go ahead and click. Okay.
08:50
I conceived by default.
08:52
The
08:54
this user has no access.
08:56
So what I want to do,
08:58
what I could do is go through and select all these different things. Like we just saw it
09:05
when I created the role. But
09:05
since the role's already here,
09:09
I could just scroll down
09:11
and look for VM creator.
09:15
So this becomes much easier to administer larger amounts of
09:18
of users by creating the rolls
09:20
and having groups to find that what you just had to remove people from groups and they inherit
09:28
all the permissions that were assigned.
09:31
Also note
09:31
this propagate to Children check box.
09:35
We can click the View Children
09:37
link
09:37
and we can see that because I'm using a folder object.
09:41
The Children in this case are the
09:43
inventory items. They're in the folder.
09:46
So these
09:46
this role and the privileges that it has will propagate to these Children
09:50
making another way. Thio very easily controlled the permissions for a large
09:56
environment of virtual machines where you've got a lot of different groupings and you can get all those organized and then signed permissions at the folder level.
10:05
Okay, so Veum Crater is our role
10:07
and we will go ahead and click. Okay,
10:13
let's have a look here.
10:16
Okay. So student
10:18
is defined here
10:20
for each beyond we can see under the managed tab that permissions button
10:24
I go the second V m. I can see the same role is
10:30
defined for Lab PM's.
10:33
I go to lab PM's by itself. I can see that at the folder level
10:37
Student is also defined.
10:39
When I was clicking it before, guess the screen just didn't refresh. I was just trying to double check that. So we can verify now that those permissions
10:48
are in effect.
10:50
Okay, so our next task
10:52
is we're going to assign
10:56
some permissions to one of our hosts.
10:58
So I'll go back here
11:01
11 level back and go to hosts and clusters.
11:07
And one of my hosts is ah
11:11
0.100. The other was 0.200 so under the managed have again and permissions.
11:16
I can now see that,
11:20
uh,
11:22
I've got my My default settings are actually some of the same things. I've already made changes I've already made.
11:31
Okay, so I'll select Ally 0.200 host.
11:35
And now I can add
11:39
a permission here.
11:43
I'll go ahead and
11:46
select my VM where domain
11:48
the search from previously working with this is still here. So that's why the student account came up by itself.
11:56
I'll click the add button,
12:00
and I cannot go ahead and pick the
12:03
VM creator role for the student account.
12:09
Now that gets applied to the entire host
12:11
because the propagate to Children
12:15
box was checked and we can get a confirmation of that here.
Up Next
Similar Content
