Tag Archives: vCenter

vCenter Tag Administration Permissions

Posted on by Leave a comment

The use of VMware tags recently became a requirement for some of my colleagues in an environment that was inherited.  They were faced with being unable to create Tags & Tag Categories or Assign and Delete them, despite ‘having admin rights’.

Upon investigation it became apparent that while the admins had been granted the Administrators Role at the vCenter Object Level, they had had not been granted sufficient rights at the Global Permissions Level, or any rights for that matter.

The following graphic shows the vSphere Inventory hierarchy.

Link to VMware’s article – Here

As you can see from the graphic, assigning privileges at the Global Level is required to manage Tags and additionally, Content Libraries.

You can see below a vSphere Admin, who has the Administrator Role assigned at the vCenter Level, is not able to select the New, Edit, Delete or Add Permission options for Tags or Tag Categories.

In this scenario there were two different permission requirements, one for a vSphere Admin team, the other for a Storage team both of which could be addressed by two existing roles; Administrators and Tagging Admin.  You could of course create a custom role should you have a requirement to do so. Here are the privileges assigned to the tagging admin role for reference.

The vSphere Admin Team required the Administrator Role at the Global Level (root object) so they could manage Content Libraries and Tags, while the Storage Team required the ability to Create and Assign Tags only.

You can assign permissions to a user or a group from multiple Identity Sources, in this scenario, an Active Directory source.  You will need to do this from an account that already has the Administrator Role at the Global Level.  By default, the administrator@vsphere.local account has this privilege. (replace the domain as needed if you have used a different SSO domain name)

From the Menu, select ‘Administration’ and select the ‘Global Permissions’ option in on the left-hand side.

From here, select the Add Permission icon.

You can now select the domain of the user or group you wish to add from the drop-down list and begin to type the name of that user or group.  It will begin to narrow your selection as you type. 

Select the user.

Now select the appropriate role and select the ‘Propagate to child object’ option.

If you have multiple users, groups or roles you need to assign, repeat the process.

You will now see both permissions in the Global Permissions menu.  If logged in, you will need to log out and back in for this to take effect. Both scenarios are shown.

If you now return to the Tags & Custom Attributes menu, logged in as a user from either of these groups, you will see that the New, Edit, Delete or Add Permission options for Tags or Tag Categories are now available.

Note: Providing a user or group privileges at the Global Permissions Level and selecting, ‘Propagate to child objects’ will give that user or group the privilege’s on the child objects such as vCenter, Cluster, VM and Datastore. 

This can be useful if you have multiple vCenters in Enhanced Linked Mode (ELM) as you only need to apply it once.

vCenter –

Host –

Datastore –

Further information can be found in the following VMware article which explains how you can grant permissions on a Tag object, rather than at the Global or vCenter Levels to give you further granualar control.

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-2199584C-B422-4EEF-9340-5449E1FB7DAE.html

Inheriting any environment can be difficult and full of unknowns, hopefully this could help you if you are experiencing a similar issue!

Thanks for reading!

Deploying Custom Virtual Standard Switches for Management

Posted on by Leave a comment

I have been rebuilding my lab hosts a lot lately! Once because I fiddled too much with my vSAN cluster and killed it… Another more interesting occasion being the release of VCF 4.0 on VMUG and beginning the deployment of this!

I prefer to use Standard vSwitches for my management network in my labs and needed a quick and easy way to get the hosts back online with minimal effort. One thing I don’t like is seeing vSwitch0… I prefer seeing useful and descriptive naming, like I’m sure many others do!

Below are a few lines of PowerCLI to quickly and easily create a new vSwitch using a spare VMNIC (you should be using more than one physical NIC for resiliency), then migrate the Management VM Kernel adapter and original VMNIC over to it, followed by a clean up of vSwitch0.

#Variables
<#ESX Host to target#> $ESXHost = "ESX102.lab.local"
<#Name of the Management Switch#> $ManagementSwitchName = "vSS_Management"
<#vmnic to be used for Management Switch#> $ManagementSwitchNIC = "vmnic1"
<#MTU size for Management Switch#> $ManagementSwitchMTU = "1500"
<#Name of the Portgroup for the VMKernel Adapter#> $ManagementVMKPortGroupName = "vSS_VMK_Management"
<#Name of the PortGroup for VM's#> $ManagementPGSwitchName = "vSS_PG_Management"
 
<#Management VMKernal Nic to be migrated#>$vNic = "vmk0"
<#Management VMKernel assosiated pNic#>$PhysiscalNic = "vmnic0"
<#Old vSwitch#> $OldvSwitch = "vSwitch0"
 
#New Standard Management Switch
$NewSwitch1 = New-VirtualSwitch -VMHost $ESXHost -Name $ManagementSwitchName -Nic $ManagementSwitchNIC -mtu $ManagementSwitchMTU
$NewSwitch1 | New-VirtualPortGroup -Name $ManagementVMKPortGroupName -VLanId 0
$NewSwitch1 | New-VirtualPortGroup -Name $ManagementPGSwitchName

Once the new vSwitch is in place, the next block of code migrates the Management VM Kernel adapter and the VMNIC over to it.

#Migrate Mangement VMKernel Adapter
$mgmt_vmk = Get-VMHostNetworkAdapter -VMHost $ESXhost -Name $vNic
$pnic = Get-VMHostNetworkAdapter -VMHost $esxhost -Name $PhysiscalNic
Add-VirtualSwitchPhysicalNetworkAdapter -VirtualSwitch $NewSwitch1 -VMHostPhysicalNic $pnic -VMHostVirtualNic $mgmt_vmk -VirtualNicPortgroup $ManagementVMKPortGroupName -Confirm:$false

Now the clean up block. This removes the now redundant vSwitch0. 

#Remove Original vSwitch0
Remove-VirtualSwitch -VirtualSwitch (Get-VirtualSwitch -VMHost $ESXHost  | Where-Object {$_.Name -eq $OldvSwitch}) -Confirm:$false

Note: If you have more than two VMNIC’s associated with the vSwitch, you will need to adjust this to include them.

Thanks for reading.

Recent Entries »