Table of Contents
Advertisement
vSphere Basic System Administration
4
Select Inventory > Permissions > Properties.
5
In the Change Access Role dialog box, select a role for the user or group from the drop-down menu.
6
To propagate the privileges to the children of the assigned inventory object, click the Propagate check box
and click OK.
Remove Permissions
Removing a permission for a user or group does not remove the user or group from the list of those available.
It also does not remove the role from the list of available items. It removes the user or group and role pair from
the selected inventory object.
Procedure
1
From the vSphere Client, click the Inventory button in the navigation bar.
2
Expand the inventory as needed and click the appropriate object.
3
Click the Permissions tab.
4
Click the appropriate line item to select the user or group and role pair.
5
Select Inventory > Permissions > Delete.
vCenter Server removes the permission setting.
Best Practices for Roles and Permissions
Use best practices for roles and permissions to maximize the security and manageability of your vCenter Server
environment.
VMware recommends the following best practices when configuring roles and permissions in your vCenter
Server environment:
Where possible, grant permissions to groups rather than individual users.
n
Grant permissions only where needed. Using the minimum number of permissions makes it easier to
n
understand and manage your permissions structure.
If you assign a restrictive role to a group, check that the group does not contain the Administrator user or
n
other users with administrative privileges. Otherwise, you could unintentionally restrict administrators'
privileges in parts of the inventory hierarchy where you have assigned that group the restrictive role.
Use folders to group objects to correspond to the differing permissions you want to grant for them.
n
Use caution when granting a permission at the root vCenter Server level. Users with permissions at the
n
root level have access to global data on vCenter Server, such as roles, custom attributes, vCenter Server
settings, and licenses. Changes to licenses and roles propagate to all vCenter Server systems in a Linked
Mode group, even if the user does not have permissions on all of the vCenter Server systems in the group.
In most cases, enable propagation on permissions. This ensures that when new objects are inserted in to
n
the inventory hierarchy, they inherit permissions and are accessible to users.
Use the No Access role to masks specific areas of the hierarchy that you don't want particular users to
n
have access to.
222
VMware, Inc.
Advertisement
Table of Contents
Troubleshooting
