Skip to main content

Access Hierarchy in vCenter

 

Access Hierarchy in vCenter


Ever wondered how you can give a user access to some artifacts within a vCenter and then deny the same user access to other artifacts?

The access hierarchy in vCenter is role-based, leveraging permissions applied at various object levels in the vSphere inventory. Here’s a breakdown

Permissions = User/Group + Role + Object

Access is granted when a user or group is assigned a role (set of privileges) on a specific inventory object (like a VM, cluster, or datastore).


Hierarchical Structure of vCenter Inventory

vCenter’s inventory is hierarchical and permission inheritance flows top-down unless explicitly disabled. Here’s the structure from top to bottom:

vCenter Root
│
├── Datacenter(s)
│   ├── Cluster(s)
│   │   ├── Host(s)
│   │   │   ├── VM(s)
│   │   │   └── Resource Pools
│   │   └── DRS/HA settings
│   ├── Storage (Datastores, Datastore Clusters)
│   └── Networking (Port Groups, dvSwitches)

Inheritance Behavior

  • Permissions propagate downward unless you check “Propagate: No” when assigning the permission.
  • Permissions do not propagate upward — no automatic access to parent objects.
  • Conflicts are resolved by the most specific object’s permission.

Types of Roles (Built-in & Custom)

Roles define sets of privileges. vCenter comes with several built-in roles:

  • Administrator – Full control.
  • Read-Only – View-only access.
  • No Access – Deny access (used to explicitly block).
  • Virtual Machine Power User – VM-specific operations.
  • Resource Pool Administrator, etc.

You can create custom roles for fine-grained control (e.g., “Helpdesk VM Operator” or “Backup Admin”).


Common Object-Level Access Design

Object LevelCommon Use Case
vCenter RootGlobal Admins – infrastructure-wide control
DatacenterRegion- or function-specific control
ClusterWorkload team separation (e.g., Dev, Prod)
HostSeldom directly assigned, usually via cluster
VMHelpdesk or app team access
DatastoreBackup/Storage teams
Resource PoolChargeback / resource segregation
vDS / PortgroupNetwork team access

Identity Integration

vCenter supports:

  • vSphere SSO Domain (vsphere.local)
  • Active Directory / LDAPS
  • Enhanced Linked Mode (ELM) – Federates multiple vCenters with common SSO

You assign Active Directory groups to roles for scalable RBAC, especially in large enterprises.


Security Best Practices

  1. Use Groups over Individual Users – Easier to audit and manage.
  2. Principle of Least Privilege – Assign only needed permissions.
  3. Avoid Using Administrator Role – Especially for service accounts.
  4. Audit Permissions Regularly – Especially after organizational changes.
  5. Isolate Tenants with Folder/Resource Pools – For multi-tenancy or departmental control.

Advanced Architect Tips

  • Tag-Based Access Control (TBAC): From vSphere 7+, you can use tags + automation tools (e.g., vRealize Orchestrator) to apply policies dynamically.
  • vRealize Automation (vRA) integration can abstract underlying hierarchy from users.
  • Service Accounts: Use custom roles with limited privileges, and audit often.



Comments

Popular posts from this blog

Step-by-Step Explanation of Ballooning, Compression & Swapping in VMware

 ðŸ”¹ Step-by-Step Explanation of Ballooning, Compression & Swapping in VMware ⸻ 1️⃣ Memory Ballooning (vmmemctl) Ballooning is the first memory reclamation technique used when ESXi detects memory pressure. ➤ Step-by-Step: How Ballooning Works  1. VMware Tools installs the balloon driver (vmmemctl) inside the guest OS.  2. ESXi detects low free memory on the host.  3. ESXi inflates the balloon in selected VMs.  4. Balloon driver occupies guest memory, making the OS think RAM is full.  5. Guest OS frees idle / unused pages (because it believes memory is needed).  6. ESXi reclaims those freed pages and makes them available to other VMs. Why Ballooning Happens?  • Host free memory is very low.  • ESXi wants the VM to release unused pages before resorting to swapping. Example  • Host memory: 64 GB  • VMs used: 62 GB  • Free: 2 GB → ESXi triggers ballooning  • VM1 (8 GB RAM): Balloon inflates to 2 GB → OS frees 2 GB → ESXi re...

Quick Guide to VCF Automation for VCD Administrators

  Quick Guide to VCF Automation for VCD Administrators VMware Cloud Foundation 9 (VCF 9) has been  released  and with it comes brand new Cloud Management Platform –  VCF Automation (VCFA)  which supercedes both Aria Automation and VMware Cloud Director (VCD). This blog post is intended for those people that know VCD quite well and want to understand how is VCFA similar or different to help them quickly orient in the new direction. It should be emphasized that VCFA is a new solution and not just rebranding of an old one. However it reuses a lot of components from its predecessors. The provider part of VCFA called Tenenat Manager is based on VCD code and the UI and APIs will be familiar to VCD admins, while the tenant part inherist a lot from Aria Automation and especially for VCD end-users will look brand new. Deployment and Architecture VCFA is generaly deployed from VCF Operations Fleet Management (former Aria Suite LCM embeded in VCF Ops. Fleet Management...
  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.