{"id":1366,"date":"2015-06-15T21:07:20","date_gmt":"2015-06-15T20:07:20","guid":{"rendered":"http:\/\/www.tekhead.org\/blog\/?p=1366"},"modified":"2015-06-18T09:29:55","modified_gmt":"2015-06-18T08:29:55","slug":"assigning-vcenter-permissions-for-drs-affinity-rules","status":"publish","type":"post","link":"https:\/\/tekhead.it\/blog\/2015\/06\/assigning-vcenter-permissions-for-drs-affinity-rules\/","title":{"rendered":"Assigning vCenter Permissions and Roles for DRS Affinity Rules"},"content":{"rendered":"<p>Today I was looking at a permissions\u00a0element for a solution. The requirement was to provide a\u00a0customer with sufficient permissions to be able to configure host and virtual machine affinity \/ anti-affinity groups in the vCentre console themselves, without providing any more permissions than absolutely necessary.<\/p>\n<p>After spending some time trawling through vCentre roles and permissions, I couldn\u2019t immediately find the appropriate setting; certainly nothing specifically relating to DRS permissions. A bit of Googling and Twittering also yielded nothing concrete. I finally found that the key permission required to be able to allow users to create and modify affinity groups is the \u201cHost \\ Inventory \\ Modify Cluster\u201d privilege. Unfortunately the use of this permission is a bit like using a sledgehammer to crack a nut!<\/p>\n<p><a href=\"http:\/\/www.tekhead.org\/wp-uploads\/www.tekhead.org\/2015\/06\/roles.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1370\" src=\"http:\/\/www.tekhead.org\/wp-uploads\/www.tekhead.org\/2015\/06\/roles.png\" alt=\"roles\" width=\"279\" height=\"261\" srcset=\"https:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2015\/06\/roles.png 279w, https:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2015\/06\/roles-150x140.png 150w, https:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2015\/06\/roles-50x47.png 50w\" sizes=\"auto, (max-width: 279px) 100vw, 279px\" \/><\/a><\/p>\n<p>By providing the Modify Cluster permission, this will also provide sufficient permissions to be able to enable, Configure and disable HA, modify EVC settings, and change pretty much anything you like within DRS. all of these settings are relatively safe to modify without risking uptime (though they do present some risk in the event of unexpected downtime); what is a far more concerning is that these permissions and allow you to enable, configure and disable DPM! It doesn\u2019t take a great deal of imagination to come up with scenario where for example a junior administrator accidentally enables DPM on your cluster, a large percentage of your estate unexpectedly shuts down overnight without the appropriate config\u00a0to boot back up, and all hell breaks loose at 9am!<\/p>\n<p>The next question then becomes, how do you ensure that this scenario is at least partly mitigated? Well it turns out that DPM can be controlled via vCenter Scheduled Tasks. Based on that, the potential workaround for this solution is to enable the Modify Cluster privilege for your users in question, then set a scheduled task to auto-disable DPM on a regular basis (such as hourly). This should at least minimise any risk, without necessarily eradicating it. Not ideal, but it would work. I&#8217;m not convinced as to whether this would be such a\u00a0great idea\u00a0for use on a critical production system. Certainly a bit of key training before letting anyone loose in vCenter, even with &#8220;limited&#8221; permissions, is always a good idea!<\/p>\n<p>I have tested this in my homelab on vSphere 5.5 and it seems to work pretty well. I don&#8217;t have vSphere 6 set up in my homelab at the moment, so can&#8217;t\u00a0confirm if the same configuration options are available, however it seems likely. I&#8217;ll test this again once I have upgraded my\u00a0lab.<\/p>\n<p>It would be great to see VMware provide more granular permissions in this area, as even basic affinity rules such as VM-VM anti-affinity are absolutely critical in many application solutions to ensure resilience and availability of services such as Active Directory, Exchange, web services, etc. To allow VM administrators achieve this, it should not be necessary to start handing out sledgehammers to all and sundry! \ud83d\ude42<\/p>\n<p>If anyone has any other suggested solutions or workarounds to this, I would be very interested to hear them? Fire me a message via <a href=\"http:\/\/www.twitter.com\/alexgalbraith\" target=\"_blank\">Twitter<\/a>, and I will happily update this post with any other suggested alternatives. Unfortunately due to inundation with spam, I removed the ability to post comments from my site back in 2014. <em><em>sigh<\/em><\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I was looking at a permissions\u00a0element for a solution. The requirement was to provide a\u00a0customer with sufficient permissions to be able to configure host and virtual machine [..]<\/p>\n","protected":false},"author":1,"featured_media":1371,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"New Blog Post: Assigning #vCenter Permissions for #DRS Affinity Rules #VMware #vExpert","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[41],"tags":[324,522,523,517,518,181,520,521,519,540,88],"class_list":["post-1366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vmware","tag-5-5","tag-affinity","tag-cluster","tag-drs","tag-ha","tag-homelab","tag-permissions","tag-privileges","tag-roles","tag-vmware","tag-vsphere"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/tekhead.it\/wp-uploads\/www.tekhead.org\/2015\/06\/drs-e1434398175563.jpg","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2l3lU-m2","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/posts\/1366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/comments?post=1366"}],"version-history":[{"count":2,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/posts\/1366\/revisions"}],"predecessor-version":[{"id":1368,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/posts\/1366\/revisions\/1368"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/media\/1371"}],"wp:attachment":[{"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/media?parent=1366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/categories?post=1366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tekhead.it\/blog\/wp-json\/wp\/v2\/tags?post=1366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}