CloudSimple Private Cloud permission model of VMware vCenter
CloudSimple retains full administrative access to the Private Cloud environment. Each CloudSimple customer is granted sufficient administrative privileges to be able to deploy and manage the virtual machines in their environment. If needed, you can temporarily escalated your privileges to perform administrative functions.
Cloud Owner
When you create a Private Cloud, a CloudOwner user is created in the vCenter Single Sign-On domain, with Cloud-Owner-Role access to manage objects in the Private Cloud. This user also can set up additional vCenter Identity Sources, and other users to the Private Cloud vCenter.
Note
Default user for your CloudSimple Private Cloud vCenter is cloudowner@cloudsimple.local when a Private Cloud is created.
User Groups
A group called Cloud-Owner-Group is created during the deployment of a Private Cloud. Users in this group can administer various parts of the vSphere environment on the Private Cloud. This group is automatically given Cloud-Owner-Role privileges, and the CloudOwner user is added as a member of this group. CloudSimple creates additional groups with limited privileges for ease of management. You can add any user to these pre-created groups and the privileges defined below are automatically assigned to the users in the groups.
Pre-created Groups
| Group Name | Purpose | Role |
|---|---|---|
| Cloud-Owner-Group | Members of this group have administrative privileges to the Private Cloud vCenter | Cloud-Owner-Role |
| Cloud-Global-Cluster-Admin-Group | Members of this group have administrative privileges on the Private Cloud vCenter Cluster | Cloud-Cluster-Admin-Role |
| Cloud-Global-Storage-Admin-Group | Members of this group can manage storage on the Private Cloud vCenter | Cloud-Storage-Admin-Role |
| Cloud-Global-Network-Admin-Group | Members of this group can manage network and distributed port groups on the Private Cloud vCenter | Cloud-Network-Admin-Role |
| Cloud-Global-VM-Admin-Group | Members of this group can manage virtual machines on the Private Cloud vCenter | Cloud-VM-Admin-Role |
To grant individual users permissions to manage the Private Cloud, create user accounts add to the appropriate groups.
Caution
New users must be added only to Cloud-Owner-Group, Cloud-Global-Cluster-Admin-Group, Cloud-Global-Storage-Admin-Group, Cloud-Global-Network-Admin-Group or, Cloud-Global-VM-Admin-Group. Users added to Administrators group will be removed automatically. Only service accounts must be added to Administrators group and service accounts must not be used to sign in to vSphere web UI.
List of vCenter privileges for default roles
Cloud-Owner-Role
| Category | Privilege |
|---|---|
| Alarms | Acknowledge alarm Create alarm Disable alarm action Modify alarm Remove alarm Set alarm status |
| Permissions | Modify permission |
| Content Library | Add library item Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Download files Evict library item Evict subscribed library Import storage Probe subscription information Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library View configuration settings |
| Cryptographic operations | Add disk Clone Decrypt Direct Access Encrypt Encrypt new Manage KMS Manage encryption policies Manage keys Migrate Recrypt Register VM Register host |
| dvPort group | Create Delete Modify Policy operation Scope operation |
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Move datastore Remove datastore Remove file Rename datastore Update virtual machine files Update virtual machine metadata |
| ESX Agent Manager | Config Modify View |
| Extension | Register extension Unregister extension Update extension |
| External stats provider | Register Unregister Update |
| Folder | Create folder Delete folder Move folder Rename folder |
| Global | Cancel task Capacity planning Diagnostics Disable methods Enable methods Global tag Health Licenses Log event Manage custom attributes Proxy Script action Service managers Set custom attribute System tag |
| Health update provider | Register Unregister Update |
| Host > Configuration | Storage partition configuration |
| Host > Inventory | Modify cluster |
| vSphere Tagging | Assign or Unassign vSphere Tag Create vSphere Tag Create vSphere Tag Category Delete vSphere Tag Delete vSphere Tag Category Edit vSphere Tag Edit vSphere Tag Category Modify UsedBy Field For Category Modify UsedBy Field For Tag |
| Network | Assign network Configure Move network Remove |
| Performance | Modify intervals |
| Host profile | View |
| Resource | Apply recommendation Assign vApp to resource pool Assign virtual machine to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| Scheduled task | Create tasks Modify task Remove task Run task |
| Sessions | Impersonate user Message Validate session View and stop sessions |
| Datastore cluster | Configure a datastore cluster |
| Profile-driven storage | Profile-driven storage update Profile-driven storage view |
| Storage views | Configure service View |
| Tasks | Create task Update task |
| Transfer service | Manage Monitor |
| vApp | Add virtual machine Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| VRMPolicy | Query VRMPolicy Update VRMPolicy |
| Virtual machine > Configuration | Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query Fault Tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock virtual machine Upgrade virtual machine compatibility |
| Virtual machine > Guest operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine > Interaction | Answer question Backup operation on virtual machine Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or Unpause Perform wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Reset Resume Fault Tolerance Suspend Suspend Fault Tolerance Test failover Test restart Secondary VM Turn off Fault Tolerance Turn on Fault Tolerance VMware Tools install |
| Virtual machine > Inventory | Create from existing Create new Move Register Remove Unregister |
| Virtual machine > Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Virtual machine > Service configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine > Snapshot management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine > vSphere Replication | Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
Cloud-Cluster-Admin-Role
| Category | Privilege |
|---|---|
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Remove datastore Rename datastore Update virtual machine files Update virtual machine metadata |
| Folder | Create folder Delete folder Move folder Rename folder |
| Host > Configuration | Storage partition configuration |
| vSphere Tagging | Assign or Unassign vSphere Tag Create vSphere Tag Create vSphere Tag Category Delete vSphere Tag Delete vSphere Tag Category Edit vSphere Tag Edit vSphere Tag Category Modify UsedBy Field For Category Modify UsedBy Field For Tag |
| Network | Assign network |
| Resource | Apply recommendation Assign vApp to resource pool Assign virtual machine to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| vApp | Add virtual machine Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| VRMPolicy | Query VRMPolicy Update VRMPolicy |
| Virtual machine > Configuration | Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query Fault Tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock virtual machine Upgrade virtual machine compatibility |
| Virtual machine > Guest operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine > Interaction | Answer question Backup operation on virtual machine Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or Unpause Perform wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Reset Resume Fault Tolerance Suspend Suspend Fault Tolerance Test failover Test restart Secondary VM Turn off Fault Tolerance Turn on Fault Tolerance VMware Tools install |
| Virtual machine > Inventory | Create from existing Create new Move Register Remove Unregister |
| Virtual machine > Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Virtual machine > Service configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine > Snapshot management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine > vSphere Replication | Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
Cloud-Storage-Admin-Role
| Category | Privilege |
|---|---|
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Remove datastore Rename datastore Update virtual machine files Update virtual machine metadata |
| Host > Configuration | Storage partition configuration |
| Datastore cluster | Configure a datastore cluster |
| Profile-driven storage | Profile-driven storage update Profile-driven storage view |
| Storage views | Configure service View |
Cloud-Network-Admin-Role
| Category | Privilege |
|---|---|
| dvPort group | Create Delete Modify Policy operation Scope operation |
| Network | Assign network Configure Move network Remove |
| Virtual machine > Configuration | Modify device settings |
Cloud-VM-Admin-Role
| Category | Privilege |
|---|---|
| Datastore | Allocate space Browse datastore |
| Network | Assign network |
| Resource | Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine |
| vApp | Export Import |
| Virtual machine > Configuration | Add existing disk Add new disk Add or remove device Advanced Change CPU count Change resource Configure managedBy Disk change tracking Disk lease Display connection settings Extend virtual disk Host USB device Memory Modify device settings Query Fault Tolerance compatibility Query unowned files Raw device Reload from path Remove disk Rename Reset guest information Set annotation Settings Swapfile placement Toggle fork parent Unlock virtual machine Upgrade virtual machine compatibility |
| Virtual machine >Guest operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Virtual machine >Interaction | Answer question Backup operation on virtual machine Configure CD media Configure floppy media Console interaction Create screenshot Defragment all disks Device connection Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Pause or Unpause Perform wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Reset Resume Fault Tolerance Suspend Suspend Fault Tolerance Test failover Test restart Secondary VM Turn off Fault Tolerance Turn on Fault Tolerance VMware Tools install |
| Virtual machine >Inventory | Create from existing Create new Move Register Remove Unregister |
| Virtual machine >Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Virtual machine >Service configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Virtual machine >Snapshot management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| Virtual machine >vSphere Replication | Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |