| title | description | ms.topic | ms.date |
|---|---|---|---|
Concepts - Role-based access control (RBAC) |
Learn about the key capabilities of role-based access control for Azure VMware Solution |
conceptual |
06/30/2020 |
In a vCenter and ESXi on-premises deployment, the administrator has access to the vCenter administrator@vsphere.local account and may have additional Active Directory (AD) users/groups assigned. However, in an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account but can assign AD users and groups to the CloudAdmin role on vCenter. Also, the Azure VMware Solution private cloud user doesn't have permission to access or configure specific management components supported and managed by Microsoft, such as clusters, hosts, datastores, and distributed virtual switches.
In Azure VMware Solution, vCenter has a built-in local user called cloudadmin that is assigned to the built-in CloudAdmin role. The local cloudadmin user is used to set up additional users in AD. The CloudAdmin role, in general, has the privilege to create and manage workloads in your private cloud (virtual machines, resource pools, datastores, and networks). The CloudAdmin role in Azure VMware Solution has a specific set of vCenter privileges that differ from other VMware cloud solutions.
Note
Azure VMware Solution currently does not offer custom roles on vCenter or the Azure VMware Solution portal.
You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.
-
Log into the SDDC vSphere Client and go to Menu > Administration.
-
Under Access Control, select Roles.
-
From the list of roles, select CloudAdmin and then select Privileges.
:::image type="content" source="media/role-based-access-control-cloudadmin-privileges.png" alt-text="How to view the CloudAdmin role privileges in vSphere Client":::
The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter. Refer to the VMware product documentation for a detailed explanation of each privilege.
| Privilege | Description |
|---|---|
| Alarms | Acknowledge alarm Create alarm Disable alarm action Modify alarm Remove alarm Set alarm status |
| Permissions | Modify permissions |
| Content Library | Add library item Create a subscription for a published library Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Delete subscription of a published library Download files Evict library items Evict subscribed library Import storage Probe subscription information Publish a library item to its subscribers Publish a library to its subscribers Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library Update subscription of a published library View configuration settings |
| Cryptographic operations | Direct access |
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Remove files Update virtual machine metadata |
| Folder | Create folder Delete folder Move folder Rename folder |
| Global | Cancel task Global tag Health Log event Manage custom attributes Service managers Set custom attribute System tag |
| Host | vSphere Replication Manage replication |
| vSphere tagging | Assign and unassign vSphere tag Create vSphere tag Create vSphere tag category Delete vSphere tag Delete vSphere tag category Edit vSphere tag Edit vSphere tag category Modify UsedBy field for category Modify UsedBy field for tag |
| Network | Assign network |
| Resource | Apply recommendation Assign vApp to resource pool Assign virtual machine to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| Scheduled task | Create task Modify task Remove task Run task |
| Sessions | Message Validate session |
| Profile | Profile driven storage view |
| Storage view | View |
| vApp | Add virtual machine Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| Virtual machine | Change Configuration Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from paths Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility Edit inventory Create from existing Create new Move Register Remove Unregister Guest operations Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries Interaction Answer question Back up operation on virtual machine Configure CD media Configure floppy media Connect devices Console interaction Create screenshot Defragment all disks Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Install VMware tools Pause or Unpause Perform wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance Provisioning Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Modify customization specification Promote disks Read customization specifications Service configuration Allow notifications Allow polling of global event notifications Manage service configuration Modify service configuration Query service configurations Read service configuration Snapshot management Create snapshot Remove snapshot Rename snapshot Revert snapshot vSphere Replication Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
Refer to the VMware product documentation for a detailed explanation of each privilege.