Why would you like to improve vCenter administrator expirience with roles and permissions in VMC on AWS?
You would like to invest in Improving the vCenter experience with roles and permissions in VMC on AWS, as the administration experience can be slightly confusing.
The confusion is caused by the default roles and permissions model of the cloudadmin user, which is more locked down than the on-prem administrator.
In vCenter, there are objects that admins of VMC on AWS, with the cloudadmin credentials, can select. But do not have permission to consume for workloads, which can cause an inconsistent experience from what admins are used to in the on-premise world from a roles and permissions perspective.
Examples of the challange in vCenter
For example, you cannot use “vsanDatastore.” this datastore is used for internal VMware usage such as management appliances. Or the ds01 datastore, which VCDR(VMware cloud disaster recovery) operates as an external NFS storage, is not allowed for direct VM provisioning and consumption vCenter.
If you choose your instance while deploying a new VM, you will see the following error message.
Another example is the Mgmt-ResourcePool used for the internal management appliances in VMC, such as vCenter, NSX, HCX, etc.
When choosing it accidentally while deploying a new VM, you will receive the following error.
Those are familiar sources of frustration for new VMC on AWS users.
The good news is that administrators can quickly fix it with vCenter roles and permissions.
Resolving vCenter challenges with permissions
By default, VMC on AWS vCenter lacks an identity source, and only the cloudadmin user is available. If you need help setting up an external identity source, look at my previous blog post, VMC on AWS vCenter Authentication using AWS Directory Service.
First, configure your external identity source groups and users with the cloudadmin role to view vCenter and perform administrative operations.
Then go to your datacenter hierarchy and add a read-only role to your user or group.
Afterward, the objects of the vsanDatastore will disappear from view and the management resource pool, making the admin experience much smoother.
But wait there’s more
There are additional objects that are not actionable that may introduce confusion.
To take this further, you can also eliminate those objects from view.
Objects such as the HCX mule host or the 2 hosts cluster witness EC2 virtual host or the VCDR SDDC the cloudDR-Proxy-ResourcePool and ds01 external NFS datastore.
To hide those, click on the specific resource and add to it the no-access role.
Rinse and repeat on others object that doesn’t make sense to you such as the HCX mule host and 2 hosts cluster witness EC2.
The vCenter end result
The result would be a friendly locked-down version of vCenter, not allowing the administrator to choose any wrong option.
Screenshots of how it looks like now when creating a VM
Conclusion
To summarize, you can fine-tune your administrative user experience with vCenter roles and permission in VMC on AWS for an improved administration experience.
I hope you have found this helpful feel free to leave a comment or DM me on LinkedIn or Twitter.
VMware vCenter roles and permissions documentation
Back to the main site.