VCP-IaaS Study Notes: Section 3.1

This is Section 3.1 in the VCP-IaaS blueprint Guide 1.2. The rest of the (completed) sections can be found here.

Identify vCenter Chargeback permissions

  • vCenter Chargeback Manager provides five different permissions, create, read, update, delete, and entity cost modify, which can be set on a role for the different resource types.

Identify Resource types

  • vCenter Chargeback Manager defines various resource types and authorizes access to a resource on the basis of the role assigned to a user.

Identify Resources that cannot be manually assigned permissions

  • You can assign permissions on a resource type to a user only through a role. However, you cannot assign permissions for the following resource types:
    • Data Collector
    • LDAP Server
    • SMTP Server
    • vCenter Server Entity
    • Attribute
    • Role
  • The application automatically handles permissions for these resource types. Also, you cannot assign the create, update, and delete permissions for the VMware vCenter Server resource type during custom role creation.

Identify default vCenter Chargeback roles

  • vCenter Chargeback Manager provides various predefined roles that can be assigned to the application users.The predefined roles are Super User, Administrator, Hierarchy Manager, Report Generator, vCenter Guest User, No Access, Dependent Resource Update, and Dependent Resource Read.
    • Super User:
      • Can do anything available in permission on the resource types.
      • Administrator:
        • Has read access on data collectors and no access to SMTP servers. Otherwise just like the super-users.
        • Hierarchy Manager:
          • Read access on vCenters, no access on Data collectors,LDAP, SMTP,Attribute,Tier,Role. Everything else allowed.
          • Report Generator
            • Has read access on Chargeback Hierarchy , and Hierarchical Entity. No access to vCenter,DC,LDAP,SMTP,Attribute,Tier and Role. Access to everything else.
            • vCenter Guest User
              • Read access for vCenter, Chargeback Hierarchy , and Hierarchical Entity.
            • No Access
              • No permission and can only be assinged on the Chargeback Hierarchial Entity resource type.
            • Dependent Resource Update Role
              • Create, Read, Update – Fixed Cost.
              • Read, Update – Report
              • Read, Update – Schedule
              • Read, Update – Billing Policy.
            • Dependent Resource Read
              • Read – Fixed Cost.
              • Read – Report
              • Read – Schedule
              • Read – Billing Policy.

Create/Modify/Delete a role

  • Create
    • In the Users & Roles tab, click Roles.
      • A table listing all the roles defined in the application is displayed.
      • Click Create.
        • The Create Role screen is displayed.
        • Enter a name and description for the role.
        • Select the required permissions for the available resource types.
        • Click Create.
  • Modify
    • In the Users & Roles tab, click Roles.
      • A table listing all the roles defined in the application is displayed.
      • Select the role that you want to modify, and click Edit.
        • The Edit Role screen is displayed.
        • Modify the required information.
          • You can modify the name and description of the role and also the set of permissions assigned to the role.
          • Click Save.
  • Delete
    • In the Users & Roles tab, click Roles.
      • A table listing all the roles defined in the application is displayed.
      • Select the role that you want to delete, and click Delete.
        • A dialog box confirming the action is displayed.
        • Click OK.

Determine when a new role should be created

  • When the default roles don’t have the correct permission/resource combination.

Associate a role to a user

  • When you create a user, no roles or permissions are assigned to it by default.
  • You can assign only a single role to a user on vCenter Chargeback Manager. If the user already has a role assigned to it, the same is removed and the new role is set on the user.
    • In the Users & Roles tab, click Permissions.
      • A page listing the users, their type, whether the user has the Super User role or the Administrator role, and if the user is a vCenter Server user then the vCenter Server name or if the user is an LDAP user or group then the IP address of the LDAP server is displayed. The page also provides an option to select a resource type.
      • Select the user from the table listing the users.
        • If any role has already been assigned to the user on vCenter Chargeback Manager, the same is displayed under Currently Assigned Role.
        • Select the required role from the menu under Set/Reset Role.
          • Ensure that you do not select any resource on the left-side pane.
          • NOTE You cannot assign the Super User role on an LDAP user or group.
          • Click Apply.
  • A user can access a resource created in the application only if he has created it or has privileges to access it. A user can be given privileges to access a resource by assigning a role to him for the required resource.
  • When you assign a role to a user for a resource, vCenter Chargeback Manager automatically assigns either the Dependent Resource Update role or the Dependent Resource Read role to the user for the dependent resources.

  • For example, if you assign a role with only read permission to a user on a cost model that you have created, then the user automatically get read permission on the fixed costs defined in the cost model.

Troubleshoot common permission issues

  • User doesn’t have access to something he thinks he is supposed to have access to – Check permission and modify if needed.

Leave a Reply

Your email address will not be published. Required fields are marked *