Data Center Virtualization Certification：VCP6.5-DCV Exam Guide

上QQ阅读APP看书，第一时间看更新

Compare and contrast propagated and explicit permission assignments

The VMware vSphere RBAC model is based on the following concepts:

Inventory: A collection of multiple virtual or physical objects managed by vCenter, in a hierarchical organization. In vCenter Server, there are four different types of inventories, with different types of objects. For more information, refer to Table 1.1.
Object: Each object in the vCenter inventory has associated permissions, or inherits them from its parent object.
User and Group: In vCenter Server, users are authenticated through the SSO component; in ESXi, users are authenticated with a local authentication or AD authentication (refer to Objective 1.3). Note that you can only assign privileges to authenticated users, or groups of authenticated users.
Privilege: This is the ability to access or execute specific functions, tasks, and operations.
Role: Roles are just groups of privileges, used to make permissions management much easier.
Permission: Permissions specify which role matches a specific group of users, for a specific object.

The following table summarizes the types of inventories, with the different types of objects:

    
          
vCenter inventory           Related objects
        
          
Hosts and clusters

vCenter Servers
Data centers
Folders
Clusters
Hosts
Resource pools
vApps
VMs

        
          
VMs and templates

vCenter Servers
Data centers
Folders
vApps
VMs
Templates

        
          
Storage (Data stores and data store clusters)

vCenter Servers
Data centers
Folders
Data store clusters
Data stores

        
          
Networking

vCenter Servers
Data centers
Folders
Portgroups
Distributed Virtual Switches
Distributed Portgroups
Distributed Uplinks

Table 1.1: Permission, role, user/group, and object

VMware vCenter permissions are assigned to objects in the vCenter inventory hierarchy by specifying which user or group has which privileges on that object. Then, to specify the privileges, you use specific roles.

The same concepts are used for ESXi local permissions, but with some limitations; for example, the predefined roles are limited, and users/groups are limited to local ESXi and/or Active Directory ( AD) domains. Also, there is only a single inventory.

The different vCenter inventories can be used to provide different levels of object hierarchies, and to group objects in different ways. Note that some objects (such as VMs) can exist in multiple inventories.

Later sections in this chapter will help you to understand how permissions are propagated through the object hierarchy.

It is a good practice to assign only those permissions that are required to increase the security, and to have a clear permissions structure.

Global permissions are applied to a global root level, instead of a specific object. In this way, a global permission grants privileges for all objects in all inventories, but only if you assign a global permission by selecting the Propagate to children option. Without the propagation, a user will only have access to some global functionalities, such as creating roles. Also, remember that global permissions can span different VMware products.

Note that vSphere tags are a specific vCenter object type, with their own permission propagation model. This is because a tag object is not a child of vCenter, but is created at the vCenter root level. If you have multiple vCenter Servers in linked mode, then all tag objects will be shared across all vCenter Server instances. To learn how permissions are applied to tag objects, you can refer to the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-2199584C-B422-4EEF-9340-5449E1FB7DAE.html).