| title | description | ms.topic | ms.service | ms.date |
|---|---|---|---|---|
Concepts - Identity and access |
Learn about the identity and access concepts of Azure VMware Solution |
conceptual |
azure-vmware |
06/06/2022 |
Azure VMware Solution private clouds are provisioned with a vCenter Server and NSX-T Manager. You'll use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. The CloudAdmin role is used for vCenter Server and the administrator role (with restricted permissions) is used for NSX-T Manager.
[!INCLUDE vcenter-access-identity-description]
Important
Azure VMware Solution offers custom roles on vCenter Server but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the Create custom roles on vCenter Server section later in this article.
You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.
-
Sign into the vSphere Client and go to Menu > Administration.
-
Under Access Control, select Roles.
-
From the list of roles, select CloudAdmin and then select Privileges.
:::image type="content" source="media/concepts/role-based-access-control-cloudadmin-privileges.png" alt-text="Screenshot showing the roles and privileges for CloudAdmin in the vSphere Client.":::
The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter Server. For more information, see the VMware product documentation.
| Privilege | Description |
|---|---|
| Alarms | Acknowledge alarm Create alarm Disable alarm action Modify alarm Remove alarm Set alarm status |
| Content Library | Add library item Create a subscription for a published library Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Delete subscription of a published library Download files Evict library items Evict subscribed library Import storage Probe subscription information Publish a library item to its subscribers Publish a library to its subscribers Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library Update subscription of a published library View configuration settings |
| Cryptographic operations | Direct access |
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Remove files Update virtual machine metadata |
| Folder | Create folder Delete folder Move folder Rename folder |
| Global | Cancel task Global tag Health Log event Manage custom attributes Service managers Set custom attribute System tag |
| Host | vSphere Replication Manage replication |
| Network | Assign network |
| Permissions | Modify permissions Modify role |
| Profile Driven Storage | Profile driven storage view |
| Resource | Apply recommendation Assign vApp to resource pool Assign virtual machine to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| Scheduled task | Create task Modify task Remove task Run task |
| Sessions | Message Validate session |
| Storage view | View |
| vApp | Add virtual machine Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| Virtual machine | Change Configuration Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from paths Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility Edit inventory Create from existing Create new Move Register Remove Unregister Guest operations Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries Interaction Answer question Back up operation on virtual machine Configure CD media Configure floppy media Connect devices Console interaction Create screenshot Defragment all disks Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Install VMware tools Pause or Unpause Wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Reset Resume Fault Tolerance Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance Provisioning Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Modify customization specification Promote disks Read customization specifications Service configuration Allow notifications Allow polling of global event notifications Manage service configuration Modify service configuration Query service configurations Read service configuration Snapshot management Create snapshot Remove snapshot Rename snapshot Revert snapshot vSphere Replication Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
| vSphere tagging | Assign and unassign vSphere tag Create vSphere tag Create vSphere tag category Delete vSphere tag Delete vSphere tag category Edit vSphere tag Edit vSphere tag category Modify UsedBy field for category Modify UsedBy field for tag |
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role.
You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role. You can create roles with privileges greater than CloudAdmin. You can't assign the role to any users or groups or delete the role.
To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
-
Sign in to vCenter Server with cloudadmin@vsphere.local or a user with the CloudAdmin role.
-
Navigate to the Roles configuration section and select Menu > Administration > Access Control > Roles.
-
Select the CloudAdmin role and select the Clone role action icon.
[!NOTE] Don't clone the Administrator role because you can't use it. Also, the custom role created can't be deleted by cloudadmin@vsphere.local.
-
Provide the name you want for the cloned role.
-
Add or remove privileges for the role and select OK. The cloned role is visible in the Roles list.
-
Navigate to the object that requires the added permission. For example, to apply permission to a folder, navigate to Menu > VMs and Templates > Folder Name.
-
Right-click the object and select Add Permission.
-
Select the Identity Source in the User drop-down where the group or user can be found.
-
Search for the user or group after selecting the Identity Source under the User section.
-
Select the role that you want to apply to the user or group.
-
Check the Propagate to children if needed, and select OK. The added permission displays in the Permissions section.
When a private cloud is provisioned using Azure portal, Software Defined Data Center (SDDC) management components like vCenter and NSX-T Manager are provisioned for customers.
Microsoft is responsible for the lifecycle management of NSX-T appliances like NSX-T Managers and NSX-T Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.
You're responsible for NSX-T software-defined networking (SDN) configuration, for example:
- Network segments
- Other Tier-1 gateways
- Distributed firewall rules
- Stateful services like gateway firewall
- Load balancer on Tier-1 gateways
You can access NSX-T Manager using the built-in local user "admin" assigned to Enterprise admin role that gives full privileges to a user to manage NSX-T. While Microsoft manages the lifecycle of NSX-T, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.
For new private cloud deployments (in US West and Australia East) starting June 2022, NSX-T access will be provided with a built-in local user cloudadmin with a specific set of permissions to use only NSX-T functionality for workloads. The new cloudadmin user role will be rolled out in other regions in phases.
Note
Admin access to NSX-T will not be provided to users for private cloud deployments created after June 2022.
The following permissions are assigned to the cloudadmin user in Azure VMware Solution NSX-T.
| Category | Type | Operation | Permission |
|---|---|---|---|
| Networking | Connectivity | Tier-0 Gateways Tier-1 Gateways Segments |
Read-only Full Access Full Access |
| Networking | Network Services | VPN NAT Load Balancing Forwarding Policy Statistics |
Full Access Full Access Full Access Read-only Full Access |
| Networking | IP Management | DNS DHCP IP Address Pools |
Full Access Full Access Full Access |
| Networking | Profiles | Full Access | |
| Security | East West Security | Distributed Firewall Distributed IDS and IPS Identity Firewall |
Full Access Full Access Full Access |
| Security | North South Security | Gateway Firewall URL Analysis |
Full Access Full Access |
| Security | Network Introspection | Read-only | |
| Security | Endpoint Protection | Read-only | |
| Security | Settings | Full Access | |
| Inventory | Full Access | ||
| Troubleshooting | IPFIX | Full Access | |
| Troubleshooting | Port Mirroring | Full Access | |
| Troubleshooting | Traceflow | Full Access | |
| System | Configuration Settings Settings Settings |
Identity firewall Users and Roles Certificate Management User Interface Settings |
Full Access Full Access Full Access Full Access |
| System | All other | Read-only |
You can view the permissions granted to the Azure VMware Solution CloudAdmin role using the following steps:
- Log in to the NSX-T Manager.
- Navigate to Systems > Users and Roles and locate User Role Assignment.
- The Roles column for the CloudAdmin user provides information on the NSX role-based access control (RBAC) roles assigned.
- Select the the Roles tab to view specific permissions associated with each of the NSX RBAC roles.
- To view Permissions, expand the CloudAdmin role and select a category like, Networking or Security.
Note
The current Azure VMware Solution with NSX-T admin user will eventually switch from admin user to cloudadmin user. You'll receive a notification through Azure Service Health that includes the timeline of this change so you can change the NSX-T credentials you've used for the other integration.
Now that you've covered Azure VMware Solution access and identity concepts, you may want to learn about: