Most environments using VMware for server virtualization are going to also have Virtual Center Server installed for administration and monitoring. As a DBA, I always had access to Virtual Center with limited permissions. It is incredibly easy for VM administrators to provide read-only access to Virtual Center to non-administrators so that they can monitor the performance counters for their servers. In this post I’ll show how easy it is to configure permissions for Virtual Center, as a reference for DBAs to provide to VM administrators when requesting access.
Configuring Read-Only Access to Virtual Center
The VM administrator can provision accounts for access to vCenter two ways; creating named accounts with passwords in Virtual Center directly, or through Active Directory Authentication. The Permissions tab on any object in Virtual Center allows an administrator to provision access as shown below.
Right-clicking inside the window and choosing Add Permission will open the Assign Permissions dialog shown below.
Here an account can be selected from the Virtual Center users or through Active Directory, and then permissions can be assigned to the user or group to allow access into Virtual Center. For simplicity, Virtual Center ships with a number of default roles that can be used to provide access with limited permissions.
The full definition of the default roles can be found on page 93 of the Datacenter Administrator Guide. While this guide is for vSphere 4.1, the same role configurations exist in the most recent version of Virtual Center Server. The two key roles for DBAs are Read Only and Virtual Machine User. As a DBA, I had Virtual Machine User access to all of my SQL Server VMs, which were grouped in a folder inside of Virtual Center to simplify permissions management.
The Read Only role provides the bare minimum set of access to Virtual Center to allow monitoring performance information and viewing configuration information for a VM. It provides the following level of access to Virtual Center:
- View the state and details about the object
- View all the tab panels in the vSphere Client except the Console tab
- Cannot perform any actions through the menus and toolbars
Virtual Machine User
The Virtual Machine User role provides all of the access to vCenter that the Read Only role provides, but also provides the following additional permissions in vCenter:
- Interact with a virtual machine’s console, insert media, and perform power operations
- Does not grant privileges to make virtual hardware changes to the virtual machine
- All privileges for the scheduled tasks privileges group
- Selected privileges for the global items and virtual machine privileges groups
- No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups
As a DBA, I would push for Virtual Machine User permissions inside of Virtual Center, but I’d want Read Only access as the bare minimum. Configuring permissions is incredibly easy to do, and providing the ability to track performance and configuration information for VMs makes it easier to diagnose and track problems when they occur. In the past, having the ability to control the VM power has prevented after-hours calls to VM administrators. Additionally, having console access to the VM has allowed multiple team members to view the console remotely during troubleshooting rather than having to be in the office. The fact that these permissions prevent configuration changes should negate any arguments against providing access to DBAs.