This topic discusses the roles required to be assigned to the vCenter user for integration with Avi Load Balancer.

You need to create the following roles:

  • AviRole-Global

  • AviRole-Folder

AviRole-Global

This role must apply Global Permissions. It allows the user to upload SE OVF to the content library, allocate space on datastore to create a virtual machine (VM) and assign networks to it.

Role Summary

VCenter Version 8.0
The AviRole-Global needs the following permissions:

  • Content Library

    • Add library items

    • Delete library items

    • Update files

    • Update library items

  • Datastore

    • Allocate space

    • Remove file

  • Host

    • Configuration

      • Network Configuration

  • Network

    • Assign network

    • Remove

  • Resource

    • Assign virtual machine to resource pool

  • vApp

    • Import

  • Virtual machine

    • Change Configuration

      • Add new disk

      • Advanced configuration

Creating AviRole-Global

To create AviRole-Global,

  1. Log in to the vCenter UI as admin.

  2. Navigate to Administration > Roles as shown below:



  3. Click New to create a new role.

  4. Click Content Library and select the following permissions:



    1. Add library item

    2. Delete library item

    3. Update files

    4. Update library item

  5. Click Datastore and select Allocate space and Remove file.

  6. Click Network and select Assign network and Remove.

  7. Click Virtual Machine and select Add new disk.

  8. Click vApp and select Import.

  9. Click Next.

  10. Specify the Role name as AviRole-Global and specify a Description, if required.

  11. Click Create.

AviRole-Folder

This role must be applied to the folder where the admin wants the Avi Load Balancer Service Engine VMs to be created. It contains the permissions to create an SE folder, create SE VM from template, assign it to a resource pool, and perform operations on the VM like adding devices, powering it on/ off, and connecting its vNICs to networks. This role restricts the VM operations only to the folder to which the role is applied.

You can apply this role at the folder level into which the Service Engines will be provisioned.

Note:

This folder must be created before using it.

The AviRole-Folder needs the following permissions:

  • dvPort group (Select this option for vCenter version 8.0)

    • Create

    • Delete

    • Modify

    • Policy operation

    • Scope operation

  • Distributed switch (Select this option for vCenter version 8.0)

    • Create

    • Host operation

    • Modify

    • Network I/O control operation

    • Policy operation

    • Port configuration operation

    • Port setting operation

  • Datacenter (Select this option for vCenter version 8.0)

    • Network protocol profile configuration

    • Query IP pool allocation

    • Release IP allocation

  • Datastore (Select this option for vCenter version 8.0)

    • Allocate space

    • Browse datastore

    • Configure datastore

    • Low level file operations

    • Remove file

    • Update virtual machine files

    • Update virtual machine metadata

  • Folder

    • Create folder

  • Host (Select this option for vCenter version 8.0)

    • CIM

      • CIM interaction

    • Configuration

      • Change Settings

      • Hyperthreading

      • Image configuration

      • Memory configuration

      • Network configuration

      • Power

      • System Management

      • System resources

      • Virtual machine autostart configuration

    • Local operations

      • Add host to vCenter

      • Create virtual machine

      • Delete virtual machine

      • Manage user groups

      • Reconfigure virtual machine

  • Network

    • Assign network

    • Configure network (Select this option for vCenter version 8.0)

    • Move network (Select this option for vCenter version 8.0)

    • Remove network

  • Performance (Select this option for vCenter version 8.0)

    • Modify intervals

  • Resource

    • Assign virtual machine to resource pool

  • Tasks

    • Create task

    • Update task

  • vApp

    • Add virtual machine

    • Assign resource pool

    • Assign vApp

    • Create

    • Delete

    • Export

    • Import

    • Power off

    • Power on

    • vAPP application configuration

    • VApp instance configuration

  • Virtual machine

    • Change Configuration

      • Add existing disk

      • Add new disk

      • Add or remove device

      • Advanced configuration

      • Change CPU count

      • Change Memory

      • Change Settings

      • Change resource

      • Extend virtual disk

      • Modify device settings

      • Remove disk

    • Edit Inventory

      • Create new

      • Remove

      • Register

      • Unregister

    • Interaction

      • Connect devices

      • Install VMware Tools

      • Power off

      • Power on

      • Reset

    • Provisioning

      • Allow disk access

      • Allow file access

      • Allow read-only disk access

      • Deploy template

      • Mark as virtual machine

Creating AviRole-Folder

To create AviRole-Folder,

  1. Log in to the vCenter UI as admin.

  2. Navigate to Administration > Roles as shown in the previous section.



  3. Click New to create a new role.

  4. Click Folder and select Create folder.

  5. Click Network, and select Assign network, Configure network, Move network, and Remove.



  6. Click Resource and select Assign virtual machine to resource pool.

  7. Click Tasks and select Create task and Update task.

  8. Click Virtual Machine and select the permissions as shown below:

    1. Change Configuration

      • Add existing disk

      • Add new disk

      • Add or remove device

      • Advanced configuration

      • Change CPU count

      • Change Memory

      • Change Settings

      • Change resource

      • Extend virtual disk

      • Modify device settings

      • Remove disk

    2. Edit Inventory

      • Create new

      • Remove

      • Register

      • Unregister

    3. Interaction

      • Connect devices

      • Install VMware Tools

      • Power off

      • Power on

      • Reset

    4. Provisioning

      • Allow disk access

      • Allow file access

      • Allow read-only disk access

      • Deploy template

      • Mark as virtual machine

  9. Click vApp and select the permissions as shown below:

    • Add virtual machine

    • Assign resource pool

    • Assign vApp

    • Create

    • Delete

    • Export

    • Import

    • Power off

    • Power on

    • vAPP application configuration

    • VApp instance configuration

  10. Click Next.

  11. Specify the Role name as AviRole-Folder and specify a Description, if required.

  12. Click Create.

Note:

While creating the folder at vCenter, you should select New VM and Template Folder option.

Combined AviRole

If the vCenter admin does not want to restrict VM operations to a folder and wants to assign the permissions globally, a single AviRole can be created with permissions as shown above and applied as Global Permissions instead of creating AviRole - Global and AviRole - Folder.

Assigning the Roles

Assign the global and folder level roles, as discussed below:

Assigning AviRole-Global

  1. Log in to vCenter UI and navigate to Global Permissions.



  2. Click ADD sign to add a new permission:

  3. Select the Domain.

  4. Search and select the required username (this will be used for authentication in the Avi Load Balancer cloud configuration).

  5. Click Propagate to children. The Add Permission screen is as shown below:



  6. Click OK.

Assigning AviRole-Folder

  1. Log in to vCenter UI and navigate to VMs and Templates.



  2. Select the VM folder to create Avi Load Balancer SEs and navigate to Permissions tab.



  3. Click ADD to add a new permission.

  4. Select theDomain.

  5. Search and select the required username (this will be used for authentication in the Avi Load Balancer cloud configuration).

  6. Click Propagate to children. The Add Permission screen is as shown below:

  7. Click OK.