As you expand your use of ESXi server, you may find that you need to delegate certain tasks to users who require only limited rights on the host. In the below example, we will grant user1 permissions on the VMs TEST1 and TEST2 and user2 permission on TEST3. When we start, we have the VMs listed. Once this process is complete both users will only be able to access the VMs that they have permission to.
The first step is to create a role(s) that are appropriate to the rights which we want to grant to the users. In this example, the role is called VM Administrator. Click on Administration\Roles. Right-click to add a new role and enter a role name. For this role, I want to grant the right to manage snapshots, configure the CD-ROM/floppy for the VM, access the VM console and manage the power status of the VM.
The list of rights is quite extensive and many of the rights shown will only apply to hosts that are managed by vCenter Server. The process that we follow here is the same that would be used with vCenter Server. The difference is that with a standalone host you will use local accounts, and with vCenter Server, you’ll use Windows users and groups.
When the role is created, we’ll next want to create our users. Select Inventory and then go to the Users & Groups tab. Right-click to add a new user. You only have to enter a login and password.
The next step is optional. It may be easier to create resource pools and then organize your VMs in resource pools. This will allow us to assign permissions to the resources pools rather than individual VMs. By default, permissions will propagate, so if you add a new VM to a resource pool it will have the same permissions as the other VMs in the pool. VMs can be drag and dropped to the appropriate pools.
The last step is to assign permissions to the resource pools. We select the Permissions tab for the User1 resource pool and then add user1 with the VM Administrator role. Note that the “Propagate to child objects” option is enabled. In the second image, the VM administrator role has been granted to user2 on the User2 resource pool and we can see that the role has propagated to the TEST3 VM.
The last step is to verify the changes made. The below image shows 4 instances of the VI client connected to the host. We can note the following differences:
- The root login is able to see all VMs and all objects like datastores and virtual machine networks
- The logins user1 and user2 can only see the VMs that the logins have permissions to
- User1 does not have permission at the host level and thus sees the message “You do not have permission to access this object”.
- User1 does not have network and datastore permissions and thus those fields are empty when selecting a VM.
- User2 has limited rights on the VM and thus can’t perform operations like add permission, delete from disk or rename.
In this example, we have seen how users and roles can be used to assign permissions to objects on your ESXi host. For more reading see this VirtualCenter Roles and Permissions document. The document is geared to vCenter Server deployments, but many of the permissions and concepts will still apply to a standalone host.