WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Hardware Options
    • Hardware Reviews
    • Lab Deployment Scripts
    • Nested Virtualization
    • Homelab Podcasts
  • VMware Nostalgia
  • Apple

Quick Tip - How to disable viewing of vSphere Tags?

01.26.2022 by William Lam // 3 Comments

I just answered an interesting inquiry that came from our field on how to prevent users in vCenter Server from viewing vSphere Tags? The use case here is that the data contained in the vSphere Tags may not be something administrators want general users to be able to see, especially if they contain sensitive information, which hopefully folks are not using to store things like credentials or secrets.

If you navigate to the vSphere Roles, you will see a number of vSphere Tagging privileges, but there is nothing that covers the ability to remove read only access.


One very important thing to understand about the authorization of vSphere Tags is that it is NOT controlled by standard vSphere Permissions that you would assign in the vSphere Inventory but that it is controlled via vSphere Global Permissions, which are outside of the vSphere Inventory, which also includes vSphere Content Library and other vCenter Servers.

If you wish to disable the ability to view vSphere Tags for a VM while still maintaining basic read only view for VM, you need to ensure there is not a read only role assignment for your user under Global Permissions. You can check by navigating to vSphere UI under Administrator->Global Permissions. If the user that you are logging in with does not have a Read Only Global Permission, they will not see any of the vSphere Tagging information nor vSphere Content Library, which is another side affect.

Categories // vSphere Tags // global permission, tag

Using PowerCLI and vSphere Tags to create/migrate HCX Mobility Groups to VMware Cloud SDDC

10.21.2020 by William Lam // 3 Comments

If using your voice to create an HCX Mobility Group and initiate a migration to a VMware Cloud SDDC is not your thing, here is a more practical example using PowerCLI which includes HCX cmdlets that was introduced awhile back.


Here are the 12 configurable variables that you will need to update based on your own environment.

$VC_SERVER="vcsa.vmware.corp"
$VC_USERNAME="*protected email*"
$VC_PASSWORD="VMware1!"
$HCX_SERVER="hcx.vmware.corp"

$VSPHERE_TAG_CATEGORY="Cloud"
$VSPHERE_TAG_NAME="VMC"

# vMotion, Bulk, Cold, RAV, OsAssistedMigration
$MIGRATION_TYPE="RAV"

$TARGET_NETWORK_NAME="L2E_HOL-10-f58e483b"
$TARGET_DATASTORE_NAME="WorkloadDatastore"
$TARGET_RESOURCE_POOL_NAME="Compute-ResourcePool"
$TARGET_VM_FOLDER_NAME="Workloads"

$MOBILITY_GROUP_NAME="VMworld-2020-Demo"

[Read more...]

Categories // Automation, Azure VMware Solution, Google Cloud VMware Engine, Oracle Cloud VMware Solution, PowerCLI, VMware Cloud, VMware Cloud on AWS Tags // HCX, Mobility Group, PowerCLI, tag, VMware Cloud, VMware Cloud on AWS

Enhanced vCenter Server Audit Event & Logging in vSphere 6.7 Update 2

04.08.2019 by William Lam // 9 Comments

A couple of years back I had published a detailed analysis on vCenter Server's Authentication (AuthN) and Authorization (AuthZ) from an auditing and logging standpoint. This has been the go to reference for many of our customers and the posts also includes a number of log samples which I have documented in the following Github repository.

In addition to serving as a reference for our customers, it has also helped our Product and Engineering teams understand where we still had some gaps and how we could improve the overall user experience. As hinted in the recently announced vSphere 6.7 Update 2 release, which will be available soon, there are number of new auditing enhancements that have been made to both vCenter Server and the vCenter Single Sign-On (SSO) service that I think customers will really appreciate.

"Real" client IP address in Events

When you look at a login or logout Event in vCenter Server today, you may have noticed the user's client IP Address is actually of the vCenter Server rather than the actual remote client's address and the reason for this is explained here. In vSphere 6.7 Update 2, the real client IP Address is now captured and is included in all successful login/logout and failed logins. This information can now enable administrators to easily identify unauthorized access and be able to quickly track down the systems initiating the connections.

[Read more...]

Categories // Automation, Security, vSphere Tags // audit, audit_events.log, event, global permission, sso, syslog, tag, vSphere 6.7 Update 2

  • 1
  • 2
  • 3
  • Next Page »

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Crowdsourced Lab Hardware for ESXi 9.0 Dashboard 06/17/2025
  • Automating the vSAN Data Migration Pre-check using vSAN API 06/04/2025
  • VCF 9.0 Hardware Considerations 05/30/2025
  • VMware Flings is now available in Free Downloads of Broadcom Support Portal (BSP) 05/19/2025
  • VMUG Connect 2025 - Minimal VMware Cloud Foundation (VCF) 5.x in a Box  05/15/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...