vSphere's (vCenter Server & ESXi) authorization system includes several pre-canned Roles such as Read-Only, Administrator and Virtual Machine Administrator as an example. One of the roles that has intrigued me for awhile which is the "No access" role. This seems to be a really odd role to have, I mean what would you do with such a role if it does not have access to anything?
In a conversation I had last week with a fellow colleague, the "No access" role made its way into the conversation and I learned that there was a specific use case for this role, however it was unclear what that might have been. This go me interested and I decided to reach out to some folks to see if I can get to the bottom of this and the use case associated with it.
It turns out there are some customers who have some very interesting requirements in which they need to separate out users who have the Administrator role and prevent them from seeing and performing operations on specific vSphere Inventory objects. An example of this would be a vCenter Server with 4 vSphere Clusters where Admin1 can only see the first two Clusters and Admin2 can only see the last two Clusters and both users have the Administrator role.
To accomplish the above example, you can leverage the "No access" role in the following manner. As the "Uber" Administrator, you would assign both Admin1 and Admin2, lets call them Alan and Cormac the Administrator role at the vCenter Server level. This will grant them full access to the entire vSphere Inventory.
Now, to prevent Alan from seeing Cluster 3 & 4, we need to go into the Cluster object and add the "No access" role to both those objects. We do the same for Cormac but for Cluster 1 & 2. If we now login as the user Alan, we will see that only Cluster 1 & 2 are visisble.
If we login with the user Cormac, we can only see Cluster 3 & 4 as expected.
Although this may not be a common request in your environment, I can see some interesting use cases for having such a setup like on-boarding a new junior admin and wanting to provide them Administrative access to particular Clusters and removing the views for others they should not have access to.
I would like to thanks Rupam from our GSS organization for sharing the reasoning behind "No access" as well as a specific use case for the feature.
Alan and Cormac - those names ring a bell.
Fabrizio de Luca says
This is what we - as VCIs - teach every week to students during ICM, FT and WN courses... =))
Another use case is when you want to provide an external consultant with a vIPMI/vILO -like access to a single VM in case he/she messes up the VM networking connectivity.
In this scenario you grant him/her:
1. "No Access" role at the vCenter Server level (propagating the role to child objects).
2. "Read Only" role at the specific VM level.
Once logged in, the consultant will only see that specific VM and the "Read Only" role will let him/her access the VMRC in case of an emergency.
Sean Dilda says
I've used 'No Access' almost since day 1. There's a couple other use cases I've run across.
1) Assigning roles for automation programs. If a program is only supposed to act on a single cluster, why not hide the other clusters so that you can minimize the impact of potential programming glitches? Likewise, when test and prod are sharing a vCenter and they're keying off of inventory names, 'No Access' can make sure test can't see prod's resources (and vice versa) so you know they don't trample on each other
2) Its a good way to keep people from asking why they can't put VMs on the datastores labeled 'local' 🙂
Grant Orchard says
Hey William, also useful if you don't want objects to be managed by vCOps.
Hello, can you help me with this: https://communities.vmware.com/message/2508130#2508130 ?