Lesson 2 - Configuring Roles and Permissions

00:04

Hello, I'm Gene Pompilio. Welcome to Cyber Eri were on module nine lesson to now for the virtual ization class, and this lesson will be talking about considering rolls and permissions.

00:14

There's a lot of

00:15

really interesting ways that you can set up your environment to give

00:19

different users or different groups of users the kinds of permissions that you wish and being able to very tightly control what they're allowed to do, what they're not allowed to. D'oh.

00:32

So we'll start off by defining what a permission is.

00:35

And then we'll look at some of the rules for how provisions get applied will go through several examples there,

00:42

and then we'll see what's involved in creating a custom role,

00:45

creating a permission itself

00:48

and

00:49

finish up with doing Labs 14 and 15.

00:54

Okay, so we start off with the Access Control overview.

00:59

We have three different or four different things. Think about here. We start off with our privilege

01:03

and a privilege is some kind of action that a role or user or a group of users can perform.

01:10

And as you'll see when you look at the

01:12

the interface for defining the privileges there are, I think it's over 300 different actions that could be

01:19

assigned to AH, user or role. We have a lot of different granular control over what someone's allowed to do, what they're not allowed to. D'oh!

01:30

The role, therefore, is a collection of privileges.

01:33

Uh, you know, you could say someone's allowed to power of'em on someone's allowed to power VM off. Someone can allocate storage. Someone can change a network interface. These air just samples of the kinds of

01:47

privileges that can be grouped together to perform to create a role.

01:52

The object is the target of the action,

01:55

and the object could be anything in your inventory data center,

01:59

a, uh

02:00

ah folder data store, a network, a virtual machine

02:06

host, a cluster,

02:07

a lot of different options for what the object can actually be.

02:12

And then the users and the groups are who actually can perform the actions that were defined as permissions or as a collection of permissions as a role.

02:23

Yes, excited comes with three different roles that air predefined. We have the administrator,

02:28

a read only roll and one that is set up for no access. This is a pretty decent collection of starting roles to work with

02:38

the administrator role in particular. If you have active director integration, which we've talked about in a couple of different sections here,

02:46

then you're SX. Add Mons Group within active directory contains all of the administrators if you're using,

02:53

uh, active directory to do your authentication.

02:57

Otherwise, you can still log in directly to your host as route and be an administrator there. So you got several different ways to

03:06

used the administrator function within the SX. I host,

03:12

uh, so we've got these three built in role. So these air your your system rolls.

03:16

And there's also some other sample roles that get created

03:21

when you install yes X I,

03:23

and you'll see those when you look at the screen, where you're allowed to define the role

03:27

and then you have custom rules where you create the role to have any kinds of permissions that you wish.

03:34

And as I mentioned, there's several 100 different

03:37

individual permission types that you can associate with a role. So you get a lot of control over what a user or group of users is allowed to. D'oh!

03:47

All right, So if we go to the administration

03:51

uh, area of the center.

03:53

That's pretty much should be at the top row of your interface. You'll see a little icon that looks like three little people that your rolls I can.

04:03

And so, for instance, I can create a roll call Virtual Machine Power user.

04:08

When the interface pops up, you'll see that you can add a roll, and on the right side you'll see your entire list of available categories.

04:15

So underneath the privileges area,

04:18

I can select a category of data store.

04:21

Each category can be expanded or contracted by clicking the little little plus sign button.

04:29

When it's expanded, it will be a It'll be a minus

04:31

when you when it's not expanded, it will be a plus sign

04:38

when you select a check box within a category. If I select this check box, everything within that category will get selected, just like you would expect it to work.

04:47

Or you can select individual items within a category if you want to be a little bit more precise about what permissions you're providing for this role.

04:57

So in this case, I want to have a virtual machine power user

05:00

within the day store category. Want them to be able to browse the data store. They're not allowed to allocate space. There's no check box there, so it's a very simple interface to use. Very intuitive.

05:12

As I mentioned on a per object basis, I can assign this particular role if I want.

05:17

If I say I've got a user

05:20

named Jeff and I want to make Jeff of the Empower User, I put him in that group. And then all these different objects can have that particular role assigned.

05:31

So everything from the data center down to individual V EMS and anything in between.

05:38

When you select an object in your inventory, you'll notice that there's a permission tab

05:43

when you select the permission tab. That's when you can see what permissions already defined for that object based on the rolls or groups that are already created.

05:54

And then you can also sign permissions

05:57

so I can just select the user that I want to work with.

06:01

Select the role that I'd like that user tohave from the available choices in the drop down menu.

06:08

And then you get the option to propagate

06:11

the permissions that were defined for that role to child objects,

06:15

and we'll see why that matters and what that really means. Way. Talk about how the permissions get applied.

06:21

So for applying permissions, we have to think about

06:26

child objects, for instance, and this example

06:29

I've got a user named Bill

06:31

Bills in two different groups.

06:33

He's in Group one with a user named Jane. He's in Group two with a user named Sally,

06:39

in this example Bills. It has the administrator role,

06:44

and this is assigned to the lab data center.

06:46

So that means everything underneath the lab data center, which includes these two folders and these four v EMS

06:53

bill would have the administrator role. It's pretty basic concept if

06:57

the,

06:59

uh,

07:00

sorry if the propagate the child objects to check boxes checked, which is by default.

07:04

And in most cases that's what you want. I want to be able to say, Build the administrator for the entire data center. However, I can still have control underneath this to to restrict some of Bill's permissions in this case, the production 01 server. I don't want building any access that to that whatsoever. So, Aiken,

07:24

give him the no access permission here

07:27

now, Bill or no access role. Rather now, Bill can't have any type of access whatsoever here. But he still has administrator access to the folder, the contents of the folder, this folder and that V. M.

07:40

So this is, ah, interesting way that you can break the permissions apart

07:44

into different possibilities.

07:46

Let's look at another example where the permissions get combined.

07:51

In this case, I'm going to say a Group one.

07:55

We'll give this a, uh, VM power on

07:59

role.

08:01

We'll put that at the data center level,

08:03

and then Group two

08:05

can take snapshots

08:09

also at that same data center level.

08:13

Now, since Bill's a member of both groups, has permissions get combined here?

08:18

So that means for the entire data center.

08:22

Bill is a member of Group One can power on any of these the EMS, and he's also

08:26

allowed to take snapshots as a member of a group number two pretty basic idea

08:33

and a great way to control

08:35

within your inventory what kinds of permissions users are allowed to have.

08:41

So let's look at another example

08:45

and this one

08:46

we'll say that Group One same membership for the groups.

08:50

I will say that Group one has administrator privileges here.

08:54

Just write that down his admin

08:56

and then for this particular VM,

09:00

we'll say that group, too,

09:01

is read only. So Bill, as a member of Group One, gets administrative privileges for everything under that data center, with the exception of this VM, because because of his membership in Group two, he has read only access to this. V M

09:18

still has admin for everything else.

09:20

Read only for this one

09:22

so I can combine

09:24

permissions and well restrictive permissions lower in the hierarchy. Here, lower in the inventory can override those that are higher up.

09:31

So I could make this more restrictive, even though you would think if I've got administrative privileges, it should be for everything. From that point down, you have the control to restrict that somewhat.

09:41

Uh, okay, so we'll do another example here. I'm gonna add group too

09:48

back to the data center,

09:52

and I'll say that one's allowed to do snapshots

09:58

at that level.

10:00

And then I can say that

10:03

Ah, Bill,

10:05

as an individual now, not as a member of a group he has read on Lee.

10:11

So how's that gonna work?

10:13

If Bill's a member of Group one, he's also a member of group, too, so that means bill has administrator privileges for everything in this

10:20

inventory underneath the data center, as as a member of Group One

10:24

as a member of group to Bill would have

10:28

snapshot abilities for all these beyond these four v EMS.

10:33

But now I've created eight. Another permission for Bill is an individual which overrides his group membership permissions

10:39

so effectively.

10:41

In this particular scenario,

10:43

thes two permissions will effectively go away because the read only permissions that I signed to build at the data center level would apply to everything below.

10:52

So the more restrictive permission takes precedence over the less restrictive ones which were previously there.

10:58

Okay, So when you're creating a role,

11:01

one of important things to think about is on Lee assigning the permissions pledges rather the privileges that the role requires. We want to follow the principle of Lee's privilege here.

11:13

So in the power users a scenario, Or if you were a backup operator

11:18

or maybe someone who can create the EMS but cannot power them down, it cannot delete them. You could see all the different possibilities for assigning different members of your organization on Lee. Those permissions that they're required to have to do their job and nothing more.

11:35

So that's That's an important consideration to think about when you're designing the way that your your organization's permissions will work

11:43

based on the users themselves and what groups there, right?

11:48

Okay, so

11:50

the next thing to think about is

11:52

creating a permission.

11:56

So just like we can create a role, we can define a permission as well,

11:58

and you get to pick from the same

12:01

items that are available in the list. And you can use that permission in any one of the roles, which can then be assigned to users or groups of users.

12:09

After your next task is to do Labs 14 and 15

12:13

and last 14 you'll get to exercise the different options for creating permissions for different users,

12:22

and we'll have 15. You'll be able to create a custom rule,

12:24

something similar to what we see here with the virtual Machine power user

12:28

and that will allow you to see how that works within the V's fair environment.

12:33

So, to recap,

12:35

we talked about what permissions are, what a privilege is, where role is,

12:39

objects that users and groups and how those all fit together.

12:43

We also know that we have are three building rolls.

12:46

Yes, X admin is automatically get administrator privilege.

12:50

And then we talked about what those objects are

12:54

so that I create the role. I sign it to an object,

12:58

and then I can assign permissions to those objects within the inventory for V center.