Table of Contents
Advertisement
The group lists in vCenter Server and an ESX/ESXi host are drawn from the same sources as the user lists. If
you are working through vCenter Server, the group list is called from the Windows domain. If you are logged
on to an ESX/ESXi host directly, the group list is called from a table maintained by the host..
Create groups for the vCenter Server system through the Windows domain or Active Directory database.
Create groups for ESX/ESXi hosts using the Users and Groups tab in the vSphere Client when connected
directly to the host.
N
If you use Active Directory groups, make sure that they are security groups and not distribution groups.
OTE
Permisions assigned to distribution groups are not enforced by vCenter Server. For more information on
security groups and distribution groups, see the Microsoft Active Directory documentation.
Removing or Modifying Users and Groups
When you remove users or groups, you also remove permissions granted to those users or groups. Modifying
a user or group name causes the original name to become invalid.
See the Security chapter in the ESX Configuration Guide or ESXi Configuration Guide for information about
removing users and groups from an ESX/ESXi host.
To remove users or groups from vCenter Server, you must remove them from the domain or Active Directory
users and groups list.
If you remove users from the vCenter Server domain, they lose permissions to all objects in the vSphere
environment and cannot log in again. Users who are currently logged in and are removed from the domain
retain their vSphere permissions only until the next validation period (the default is every 24 hours). Removing
a group does not affect the permissions granted individually to the users in that group, or those granted as
part of inclusion in another group.
If you change a user's name in the domain, the original user name becomes invalid in the vCenter Server
system. If you change the name of a group, the original group becomes invalid only after you restart the vCenter
Server system.
Best Practices for Users and Groups
Use best practices for managing users and groups to increase the security and manageability of your vSphere
environment.
VMware recommends several best practices for creating users and groups in your vSphere environment:
Use vCenter Server to centralize access control, rather than defining users and groups on individual hosts.
n
Choose a local Windows user or group to have the Administrator role in vCenter Server.
n
Create new groups for vCenter Server users. Avoid using Windows built-in groups or other existing
n
groups.
Using Roles to Assign Privileges
A role is a predefined set of privileges. Privileges define basic individual rights required to perform actions
and read properties.
When you assign a user or group permissions, you pair the user or group with a role and associate that pairing
with an inventory object. A single user might have different roles for different objects in the inventory. For
example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular
user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to
power on virtual machines in Pool A, but not those in Pool B, although the user would still be able to view the
status of the virtual machines in Pool B.
VMware, Inc.
Chapter 18 Managing Users, Groups, Roles, and Permissions
211
Advertisement
Table of Contents
Troubleshooting
