Just like with any network operating system, to securely setup VMware ESX, you need to understand how to configure users, groups, and roles. In this article, you will find out how.
Keep in mind that VMware ESX is a modified version of Red Hat Enterprise Linux. Thus, ESX has Linux users and group. If you understand the basics of Linux users and groups, you have a jumpstart on understanding ESX users and groups.
By default, ESX has 22 different users and 31 groups. Wow! That’s amazing! All of these are used by the system. The single account that you will be most common with is the root account. When you installed ESX, you set the password for this account. Common user accounts are shown in the picture below:
With VMware ESX Server, you have 4 Roles, by default. These Roles can be configured in the Admin Section. Besides the Roles section, you also have a Permissions tab and Users & Group tab. The Users & Groups tab is where you add & remove Local users and groups. The Permissions tab is where you grant those users and groups access to certain Roles in VMware ESX.
On the Users & Groups tab, each user account has a UID number (used to uniquely identify the user) and a common name (as you can see by the graphic above). If you double-click on the user, you will see this:
This is where you edit the user account. You can edit the username, edit the UID, change the password, grant shell access, or edit group membership. If you right-click in the white space, you can choose to Add a new user, like this:
At that point, you will be back at the same ‘edit’ screen you saw above but you will have to fill in the blank fields. Adding group membership is as simple as adding a group to the bottom of the ‘edit user’ window. If you want the user to be an administrator-equivalent user, all you have to do is add them to the group called ‘root’. Administering groups is virtually identical to administering users so I won’t go into detail on that.
Up until this point, we have been administering users on just a single VMware ESX server. These have been local “Linux-like” users. So what happens if you have, say, 5 ESX servers and you throw in VMware Virtual Center? Virtual Center is a centralized management server for VMware ESX. Virtual Center runs on a Windows Server. Because of this, Virtual Center uses Windows AD users & groups, not Linux users and groups. What people normally do in this situation is to remove the users & groups that you created on your ESX servers and perform VMware Virtual Infrastructure (VI) management for your ESX servers with Windows users and groups.
Within Virtual Center, you don’t create new users or groups. You only use Windows users & groups. Thus, to create a new user or group that you would use in Virtual Center, you would do it in Windows AD Users and Computers or locally on the Virtual Center server. While you don’t have a Users & Groups section on your Virtual Center server, you do have the Permissions tab and Roles section that can be configured. There are 8 Roles created by default so you may not need to create any. What you will more commonly use is the Permissions tab. You will find the Permissions tab at varying levels of Virtual Center inventory tree. Here is what it looks like:
If you do select Add Permission, you will be able to match up a Window Local or AD group or user with a Virtual Center Role. For example, I could say that my Windows AD user account can be a Virtual Machine administrator for a certain Virtual Server in the Virtual Center. Here is what it would look like when I was done:
In Summary, VMware ESX and Virtual Center all use the concept of Users, Groups, Roles, and Permissions. Roles define what you can do. Permissions map a user or group to your role. The users & groups either come from your local ESX (Linux) user & group database or the Windows Local/AD username & group database if you are using Virtual Center. It is important to understand these basic layers of VMware Security so that you can secure your VMware ESX systems or grant new access. Do you have questions or comments about VMware? Checkout our VMware Virtualization discussion forums!