Victoria - Fotolia

Follow these steps to assign vSphere permissions and roles

Admins can use vSphere permissions to assign VM controls to different IT groups within their enterprise. Follow the networking example below to get started.

The role of permissions in vSphere management is to segregate VM control among different application support teams. A permission is a pairing of a user or group with a role, and it is applied to an object, such as a data store or VM.

To understand how to use vSphere permissions, it's helpful to follow an example. To give the networking team the ability to attach a VM to a port group, for instance, you'll need to create a role and then assign the networking team that role.

Step 1: Create the role

To open the vSphere Web Client and go to the homepage, click the house icon at the top, and then click Roles under Administration.

Image 1: The vSphere Web Client homepage.

To create a new role, click the green plus button. Give your role a name. In this example, the name is Connect_Network. Then, assign some privileges to the role. We will only add the Assign network privilege from the network group. Click OK to create your new role.

Create a role
Image 2: Create a role in vSphere.

Step 2: Assign the role to a group

Switch to an inventory view. In this example, we will use the Networking view. To assign the Admin_Network group the ability to connect VMs to any port group in my Lab data center, right click the data center and click Add Permission...

Add Permission
Image 3: Add Permissions.

In the Add Permission dialogue, click the Add button at the bottom. In the Select Users/Groups dialogue, find the user that you want to assign permission -- in this case, the Admin_Network group -- then click Add and OK.

Assign permission
Image 4: Choose a user or group.

Back on the Add Permission screen, select the role we created, Connect_Network, from the drop-down list in the Assigned Role box, and then click OK.

Add Permission screen
Image 5: Select a role.

Now all members of the Admin_Network group can connect VMs to any port group in the data center. Click the Manage tab and then the Permissions tab to see each user's vSphere permissions. You can see the most recently added permission at the top of this list, along with all of the other permissions.

Permissions tab
Image 6: See each user's permissions in the Permissions tab.

vSphere permissions are a little complicated. To change and connect the VM to a port group and then add it to the Connect_Network role, the Admin_Network team must have the Virtual Machine Settings privilege.

Edit role
Image 7: Give the Admin_Network team the Virtual Machine Settings privilege.

You can use the same methods to control which users can put VM disks on data stores or create VMs on particular vSphere clusters. Create the roles you need and assign them to groups for different objects.

Next Steps

Keep your vSphere environment secure

Is SD-WAN right for your network architecture?

What to know about VMware Identity Manager before deployment

Dig Deeper on Data center ops, monitoring and management

Cloud Computing
and ESG