A permission is set on an object in the vCenter Server object hierarchy. Each permission associates the object with a group or user and the group's or user's access role. For example, you can select a virtual machine object, add one permission that gives the ReadOnly role to Group 1, and add a second permission that gives the Administrator role to User 2.
By assigning a different role to a group of users on different objects, you control the tasks that those users can perform in your vSphere environment. For example, to allow a group to configure memory for the host, select that host and add a permission that grants a role to that group that includes the
privilege.For conceptual information about permissions, see the discussion in Understanding the Object-Level Permission Model.
You can assign permissions to objects at different levels of the hierarchy, for example, you can assign permissions to a host object or to a folder object that includes all host objects. See Hierarchical Inheritance of Permissions in vSphere. You can also assign propagating permissions to a global root object to apply the permissions to all object in all solutions. See Using vCenter Server Global Permissions.
Add a Permission to an Inventory Object
After you create users and groups and define roles, you must assign the users and groups and their roles to the relevant inventory objects. You can assign the same propagating permissions to multiple objects simultaneously by moving the objects into a folder and setting the permissions on the folder.
When you assign permissions, the user and the group names must match Active Directory precisely, including case. If you upgraded from earlier versions of vSphere, check for case inconsistencies if you experience problems with groups.
Prerequisites
On the object whose permissions you want to modify, you must have a role that includes the
privilege.Procedure
Change or Remove Permissions on an Inventory Object
After a user or group and role pair is set for an inventory object, you can change the role paired with the user or group or change the setting of the Propagate to children check box. You can also remove the permission setting.
Procedure
- Browse to the object in the vSphere Client object navigator.
- Click the Permissions tab.
- Click a row to select a permission.
Task Steps Change permissions - Click Edit.
- Select a role for the user or group from the Role drop-down menu.
- Toggle the Propagate to children check box to change permission inheritance.
- Click OK.
Remove permissions - Click Delete.
- Click Remove.
Change vCenter Server User Validation Settings
vCenter Server periodically validates its user and group lists against the users and groups in the user directory. It then removes users or groups that no longer exist in the domain. You can deactivate validation or change the interval between validations. If you have domains with thousands of users or groups, or if searches take a long time to complete, consider adjusting the search settings.
These settings apply to vCenter Single Sign-On identity sources, and not an external identity source, such as Active Directory, that might be associated with vCenter Server.
Procedure
- Browse to the vCenter Server system in the vSphere Client object navigator.
- Select Configure and click .
- Click Edit and select User directory.
- Change the values as needed and click Save.
Option Description User directory timeout Timeout interval, in seconds, for searching this vCenter Server installation. Query limit Toggle on to set a maximum number of users and groups that vCenter Server displays. Query limit size Maximum number of users and groups from the selected domain that vCenter Server displays in the Select Users or Groups dialog box. If you enter 0 (zero), all users and groups appear.