vCenter Local Permissions
Yesterday I wrote a post about 10 commandments for networking and one of those commandments was to use your individual account and to not to use permissions you don’t rate. The sad reality is that doing the right thing is not always as easy as it should be. Case in point, permissions in vCenter (appliance). Instead of something simple, like being able to click Users -> Add new, to add users to the vCenter Appliance, you must take to the command line.
To provide a bit of background, there are two main ways you can get users into vCenter: local (to the server) accounts and Active Directory (AD) accounts. In the event you haven’t stood up your domain yet, you need temporary connectivity in the event AD is down, or you would like to have accounts that are not dependent on AD, local accounts might be the answer for you.
To create an additional account (or to change the default VMware password), ssh to the IP address of your vCenter server. As you can see from the above graphic, the command to add a user is “useradd” followed by the name of the user you would like to add. The next part is slightly tricky. To set the password for this new user, the command is “passwd” followed by the name of the account you would like to set the password for. You will be prompted to enter the new password you would like. In this case, I entered “password”. The Linux operating system was kind enough to let me know that my password is garbage, but kindly accepts it as long as I type it the same way when asked to confirm it.
The next step is to chose a role for the account. In this case, as you can see above and on the right half of the graphic, I have chosen “read-only”. After you chose the role you would like, click “add” to give your user that role.
Type in the name of your user and click “ok”.
Now that we’ve finished with the permissions portion, let’s do some verification. Because I added “Netadmin” as a read-only account, I should not be able to change anything. Close vCenter (your vSphere client). Open your vSphere client and logon as your read-only account.
Above I have provided two examples that illustrate the permissions worked. With the read-only account we are unable to power on/off a VM (options greyed out) and we see the same thing when we head over to the networking tab. You can see the vSwitches, but the ability to edit any setting has been greyed out.
You will certainly have some tinkering to do to ensure the right people have the right amount of permissions, but now that you know the process you’ve got the necessary tools.