Adding a Custom vCenter User with Limited Scope

You can enable users, customers, or tenants to use a shared vCenter while ensuring that each user can only view and manage their own virtual machines. For this solution, each user uses a unique vCenter client instance, providing user credentials that are associated with a specific vCenter user with limited scope.

The vCenter user account must have permissions on the vCenter, datacenter, ESX server, resource pool, VM folder, and virtual machine levels for any virtual machines to be backed up and restored. The backup for a virtual machine fails if the user does not have permission on the vCenter, datacenter, and ESX server where the virtual machine resides. When you assign a user and role for a specific entity, select the option to propagate permissions to child objects, so that operations for virtual machines that use those entities are successful.

To ensure that backups and restores are successful, use the vSphere Client or Web Client to assign user permissions on each required entity.

To hide resources from a user, you can assign a "No access" user role to the entity.

vCenter Server Appliance Setup

To create a user account in the vCenter Server Appliance, first create a role with the required permissions as described in step 2 of the procedure in this topic.

After you create the role, add the user account and associate it with the role you defined as described in the VMware article Create a Local User Account in the vCenter Server Appliance.

Procedure

To add a user with permissions to back up and restore virtual machines in a specific entity, perform the following steps:

  1. On the vCenter server, add a local user:

    1. Use Remote Desktop to log in to the vCenter server and start Server Manager.

    2. Navigate to Configuration > Local Users and Groups > Users.

    3. Right-click Users and then select New User.

      srvrmgr_add_local_user

    4. Enter the user name and password, then re-renter the password.

    5. Click Create.

  2. In the vSphere Client, add a role:

    1. Go to Home > Administration > Roles, and then click the menu options Administration > Role > Add.

    2. Enter the name of the role (for example, cvAdmin).

    3. Select backup, restore, and VM File Recovery Plug-In privileges as described in Permissions for Custom User Accounts.

      vctr_add_role

    4. Click OK.

  3. In the vSphere Client, add permissions for a user and role at the appropriate level.

    1. Select the entity for which you are adding permissions (for example, a datacenter, host, resource pool, or virtual machine).

    2. Click the Permissions tab.

    3. Right-click in the tab and select Add Permission.

    4. Under Users and Groups, click Add, select the local VSA user on the Select Users and Groups dialog, click Add, and then click OK.

    5. Under Assigned Role, select the role from the drop-down list.

      vctr_assign_permiss

    6. Click OK.

      vctr_permiss

  4. If necessary, create a new virtualization client for the vCenter:

    1. From the CommCell Browser, navigate to Client Computers.

    2. Right-click Client Computers and then select New Client > Virtualization > VMware vCenter.

    3. Enter a descriptive name for the virtualization client in the vCenter Host Name box.

    4. Enter the username and password of the custom vCenter user.

    5. Click Add to select a proxy for backup. On the resulting dialog, select one or more proxies from the Exclude list, click Include or Include All, and then click OK to save the proxy selections.

    6. Click OK to create the virtualization client.

  5. Enter the correct vCenter host name for the Virtual Server instance:

    1. From the CommCell Browser, navigate to Client Computers > virtualization_client > Virtual Server.

    2. Right-click the VMware virtual server instance and select Properties.

    3. Under VMware, enter the actual vCenter host name in the vCenter host name box.

      If necessary, you can also click Change to modify user account information.

    4. Click OK to save instance properties.

Loading...