vCenter Permissions/Roles overkill? maybe? maybe not… specifically with View 4.0.1

Related Products:
  • VMWare View 4.0.1
  • VMWare vCenter 4.0 U1
Problem Statement:
When creating a View Desktop Pool, no folder path, or datastores are presented and a whole other slew of errors should you decide NOT to grant the administrator role to the View Composer Service Account.
Resolution:
View Composer Role permissions need to be granted in 1 or 6 places in vCenter depending on how restricted the account should be.  1 place would be to grant the administrator role to the View Composer Service Account @ the vCenter Node Level and propagate down.  If the aim to to restrict access to one cluster/host, then the View Composer Role must be applied to the following areas:
Pictures are provided as an example and are not a reflection of how all vCenter servers are configured/designed.
  1. VM and Templates – Role added to Chosen Target Folder, Gold Image Folder, and the “VMWareViewComposerReplicaFolder
    1. ViewComposerReplicaFolder
  2. Hosts and Clusters – Role added to Host | Cluster
    1. ClustersViewPerms
  3. Datastores – Role added to Datastores related to Cluster or Host chosen.
    1. DatastoresViewedit
  4. Datacenter – Role added to Datacenter node, do NOT propagate the View Composer Role permission.
    1. Datacenter Perms
  5. vCenter – This would be the name of your vCenter server, Add the role to this node, do NOT propagate.
    1. vCenterPerms
  6.  Networking – All networks would need to be sorted into folders and your service account granted read-only permissions all networks or just ones you specify.
Further reading:
I came across something interesting today while I was setting up my production View environment.  One of the requirements when setting up View Composer is that it needs an account that has be part of the administrator group of the Windows OS on the vCenter server.  Not a big deal since we don’t grant access to “BuiltIn\Administrators” rights to vCenter itself.
Now granted, the service account needs rights to vCenter which is up next, requirements state that the vCenter Composer service account be granted what VMWare calls the “View Composer” Role.  ACTUAL View Composer Role Permissions needed, to break it down on one table here it is:
[UPDATED Permissions Table found HERE]
Privilege Group Privilege(s) to Enable
Folder Create Folder
Delete Folder
Datastore Browse Datastore
File Management - (This is listed in the admin guide, VMWare needs to clarify this.)  My understanding is the following:
Allocate Space
Remove File
Virtual Machine Inventory (All Rights)
Configuration (All Rights)
Interaction > Power On
Interaction > Power Off
Interaction > Suspend
Interaction > Reset
State
Provisioning > Clone
Provisioning > Allow Disk Access
Provisioning > Deploy Template
Provisioning > Read Customization Specifications
Resource Assign Virtual Machine to Resource Pool
Global Enable Methods
Disable Methods
NOT in the admin guide:
System Tag
Global Tag
Network NOT in the admin guide:
Assign Network
Sessions NOT in the admin guide:
Validate session
View and Stop sessions

Comments

Iwan 1005 22-03 said…
Enjoyed the article! Thanks for sharing.

To me, it is another example why I recommend a separate vCenter for Desktop.

e1 @ vmware.com
December 18, 2011 at 3:32 AM
Zsoldier said…
Thanks Iwan! Separate vCenter is fine too, but it's still good practice to secure a service account to it's bare necessities.
December 21, 2011 at 6:51 PM
Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face ...
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnec...
Read more