introduction
We have seen in last two articles how to join ESXI host to active directory and how to configure AD authentication on vCenter application as well VCSA
But all of these configurations are useless
until
We configure RBAC , so domain users are able to access and manage vSphere environment [ESXI host and vCenter ]
In this article we will see how to configure RBAC and test also if domain users are able to manage vSphere environment
VMware RBAC
VMware Role-based access control RBAC enables Active Directory Domain administrators to access and Manage vSphere Environment [ESXI and vCenter ]
. To implement role-based access control, system and organization administrators associate (or revoke) privileges, permissions, and roles with (or from) user login accounts.
RBAC is the security mechanism that can greatly lower the cost and complexity of shared vCenter Server security administration.
RBAC simplifies security operations by using roles, hierarchies, and constraints to organize privileges.
vCenter Server offers flexible role-based access control to define the roles and privileges for different administrators within the vCenter Server environment.
Roles and privileges in the vCenter Server system can easily be modified and new roles quickly created.
Network Diagram
please have a look to network diagram above
we have Active Directory .pioneers.lab with the following users
- Built-in account Administrator@pioneers.lab
- Custom account Ali@pioneers.lab
- Custom account Lara@pioneers.lab
- Custom account Sami@pioneers.lab
also we 3 ESXI servers
- ESXI151 with Built-in Account Root@ESXI151
- ESXI152 with Built-in Account Root@ESXI152
- ESXI153 with Built-in Account Root@ESXI153
also 1 VCSA server with the following users
- Built-in Account Root@VCSA161 to manage VCSA as operating system
- Built-in account Administrator@vSphere.lab to manage vCenter application
we will Configure AD users to Access and Manage ESXI hosts VCSA
Conclusion
in this article RBAC Part I we have got an overview about vSphere RBAC
next articles : we will see how allow Active Directory users to configure ESXI host
then we will see how to grant AD users to manage Vcenter application rather than account administrator@vSphere.local