Supervising Your Hypervisor


by Peter Petersen | 08.30.2012
Categories: Blog

How many supervisors would it take to supervise a hypervisor, if a hypervisor had a supervisor to supervise the hypervisor? Sounds like a bit of a tongue twister right? But seriously, don’t you wish that you had a bit more control over who could do what in your ESXi environment? Odds are that you do.

One of the most over-looked items in virtualization in my opinion is the advanced control that an organization gains by adopting a virtualization solution such as VMware’s vSphere suite of software into their environment. Take the following scenario into consideration: A junior level administrator has a brilliant idea to change the way the network operates to gain network efficiency and decides to introduce a new server into the environment. The server has a piece of software that promises to quicken the network performance ten-fold. Later on that day, the admin finds an old server laying around the server room, spins it up, joins it to the domain, installs the magic software and in no time, your network comes to a screeching halt. Don’t you wish there was a way to stop this behavior in your environment?

In comes VMware vSphere Access Control! Access control is a component in the vCenter server that I seldom, if ever, see organization utilize. Access control allows you to take control in your virtualization environment and delegate certain permissions to your internal IT department. Let’s say, for example, you want to add your group of server administrators to have access to log onto the vCenter Server. You also want them to be able to create VMs. In this case you could create a role on vCenter and assign it to a non-privileged group of users that you want to have the ability to only create VMs. The high-flying steps in this process would be as follows:

  • Create a non-privileged user group on the vCenter
  • Create a custom role on the vCenter named ‘Virtual Machine Creators’
  • Assign permissions on the vCenter Server inventory objects.

After you follow those steps in depth, the end result would be as follows:

When a server administrator logs on to the vCenter server, he is only presented with the ability to create new VM’s in the environment and that’s it. He cannot delete, vMotion, remove from inventory, or perform any other action in vCenter. Now you can delegate those permissions out to a group of administrators that you trust to create servers in the environment only after the OK has been given by the IT director.