SDDC Busines Roles and Permissions

SDDC Busines Roles and Permissions

vCenter Roles and Permissions

To implement the separation of customer and Rackspace duties in SDDC Business, Rackspace uses built-in and custom roles in the vCenter Server. Rackspace assigns you a maximum permission role (customer role) and any lesser privileged roles that you request for specific users or groups.

Customers have permissions to create, delete, and manage VMs within their private cloud. Rackspace manages and maintains the ESXi hosts, the vCenter Server, Jump and SVS servers, and additional management VMs as required by the SDDC Business solution. Customers therefore have limited permissions on hosts and management servers.

Specific resource pools and folders are created to house customer created VMs and ensure separation from management VMs. In support of this separation, customers are granted permissions to create, delete, and manage VMs in the Compute-ResourcePool resource pool and in the Workloads and Templates virtual machine folders.

If required for organisational or resource management purposes, customers can create new resource pools below the Compute-ResourcePool and new folders below the Workloads and Templates VMs folders.

The following permission sets are predefined in the vCenter Server:

  • Customer Access
  • VM Power User
  • VM User
  • Read Only

Customer Access permission set is a product of permissions applied to two sets of roles. A lower permission set is enforced at the root of the inventory tree, and a higher permission set is applied at the resource pool level of the inventory tree.

The following table shows which vCenter Server permissions are available to each role.

PermissionCustomer AccessVM Power UserVM UserRead Only
AlarmsFull AccessNo AccessNo AccessNo Access
DatastoresLimited AccessLimited AccessNo AccessNo Access
NetworkLimited AccessNo AccessNo AccessNo Access
PerformanceFull AccessNo AccessNo AccessNo Access
ResourceFull AccessNo AccessNo AccessNo Access
ScheduledTaskFull AccessFull AccessFull AccessNo Access
TasksFull AccessFull AccessFull AccessNo Access
vAppFull AccessFull AccessNo AccessNo Access
Virtual MachineFull AccessFull AccessLimited AccessNo Access
DatacenterLimited AccessFull AccessLimited AccessNo Access
GlobalLimited AccessLimited AccessLimited AccessNo Access
HostLimited AccessNo AccessNo AccessNo Access
SessionsLimited AccessNo AccessNo AccessNo Access
Storage ViewsLimited AccessNo AccessNo AccessNo Access
Datastore clusterFull AccessNo AccessNo AccessNo Access
Distributed virtual switchNo AccessNo AccessNo AccessNo Access
Distributed virtual port groupNo AccessNo AccessNo AccessNo Access
ESX agent managerNo AccessNo AccessNo AccessNo Access
ExtensionNo AccessNo AccessNo AccessNo Access
vCenter inventory serviceNo AccessNo AccessNo AccessNo Access
vSphere update managerNo AccessNo AccessNo AccessNo Access
VRM policyNo AccessNo AccessNo AccessNo Access
vServiceNo AccessNo AccessNo AccessNo Access
vSphere TaggingFull AccessNo AccessNo AccessNo Access

Authentication Methods

SDDC Business customers have two choices for vCenter authentication:

  • Rackspace-provided Active Directory service
  • Customer-provided Active Directory service

By default Rackspace is added to every SDDC Business environment at build time. This is to allow our support staff to assist our customer and for day two operations

To check the current authentication sources, click on the vSphere Client menu then click on Administration.

Click on configuration.

To add your Active Directory as an Identity source please raise a request with our support, the below information is required.

Configuration ItemDescription
NameLabel for identification
Base DN for usersThe Distinguished Name (DN) of the starting point for directory server searches.
Base distinguished name for GroupsThe Distinguished Name (DN) of the starting point for directory server searches.
Domain NameYour domain name. Example: “domain.local”
Domain AliasYour NetBIOS name. Example: “Domain”
UsernameDomain user with at least browse privileges. Example: “[email protected]
Primary Server URLldap://ipaddress:3268
Secondary Server URL (Optional)ldap://ipaddress:3268

Secondary Server URL (Optional) | ldap://ipaddress:3268 |