Azure VMware Solution identity concepts
Azure VMware Solution private clouds are provisioned with a vCenter Server and NSX-T Manager. You'll use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. The CloudAdmin role is used for vCenter and restricted administrator rights for NSX-T Manager.
vCenter access and identity
In Azure VMware Solution, vCenter has a built-in local user called cloudadmin assigned to the CloudAdmin role. You can configure users and groups in Active Directory (AD) with the CloudAdmin role for your private cloud. In general, the CloudAdmin role creates and manages workloads in your private cloud. But in Azure VMware Solution, the CloudAdmin role has vCenter privileges that differ from other VMware cloud solutions and on-premises deployments.
Important
The local cloudadmin user should be treated as an emergency access account for "break glass" scenarios in your private cloud. It's not for daily administrative activities or integration with other services.
In a vCenter and ESXi on-premises deployment, the administrator has access to the vCenter administrator@vsphere.local account. They can also have more AD users and groups assigned.
In an Azure VMware Solution deployment, the administrator doesn't have access to the administrator user account. They can, however, assign AD users and groups to the CloudAdmin role in vCenter. The CloudAdmin role doesn't have permissions to add an identity source like on-premises LDAP or LDAPS server to vCenter. However, you can use Run commands to add an identity source and assign cloudadmin role to users and groups.
The private cloud user doesn't have access to and can't configure specific management components Microsoft supports and manages. For example, clusters, hosts, datastores, and distributed virtual switches.
Note
In Azure VMware Solution, the vsphere.local SSO domain is provided as a managed resource to support platform operations. It doesn't support the creation and management of local groups and users other than those provided by default with your private cloud.
Important
Azure VMware Solution offers custom roles on vCenter but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the Create custom roles on vCenter section later in this article.
View the vCenter privileges
You can view the privileges granted to the Azure VMware Solution CloudAdmin role on your Azure VMware Solution private cloud vCenter.
Sign in to the vSphere Client and go to Menu > Administration.
Under Access Control, select Roles.
From the list of roles, select CloudAdmin and then select Privileges.
The CloudAdmin role in Azure VMware Solution has the following privileges on vCenter. For more information, see the VMware product documentation.
| Privilege | Description |
|---|---|
| Alarms | Acknowledge alarm Create alarm Disable alarm action Modify alarm Remove alarm Set alarm status |
| Content Library | Add library item Create a subscription for a published library Create local library Create subscribed library Delete library item Delete local library Delete subscribed library Delete subscription of a published library Download files Evict library items Evict subscribed library Import storage Probe subscription information Publish a library item to its subscribers Publish a library to its subscribers Read storage Sync library item Sync subscribed library Type introspection Update configuration settings Update files Update library Update library item Update local library Update subscribed library Update subscription of a published library View configuration settings |
| Cryptographic operations | Direct access |
| Datastore | Allocate space Browse datastore Configure datastore Low-level file operations Remove files Update virtual machine metadata |
| Folder | Create folder Delete folder Move folder Rename folder |
| Global | Cancel task Global tag Health Log event Manage custom attributes Service managers Set custom attribute System tag |
| Host | vSphere Replication Manage replication |
| Network | Assign network |
| Permissions | Modify permissions Modify role |
| Profile | Profile driven storage view |
| Resource | Apply recommendation Assign vApp to resource pool Assign virtual machine to resource pool Create resource pool Migrate powered off virtual machine Migrate powered on virtual machine Modify resource pool Move resource pool Query vMotion Remove resource pool Rename resource pool |
| Scheduled task | Create task Modify task Remove task Run task |
| Sessions | Message Validate session |
| Storage view | View |
| vApp | Add virtual machine Assign resource pool Assign vApp Clone Create Delete Export Import Move Power off Power on Rename Suspend Unregister View OVF environment vApp application configuration vApp instance configuration vApp managedBy configuration vApp resource configuration |
| Virtual machine | Change Configuration Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from paths Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility Edit inventory Create from existing Create new Move Register Remove Unregister Guest operations Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries Interaction Answer question Back up operation on virtual machine Configure CD media Configure floppy media Connect devices Console interaction Create screenshot Defragment all disks Drag and drop Guest operating system management by VIX API Inject USB HID scan codes Install VMware tools Pause or Unpause Wipe or shrink operations Power off Power on Record session on virtual machine Replay session on virtual machine Suspend Suspend fault tolerance Test failover Test restart secondary VM Turn off fault tolerance Turn on fault tolerance Provisioning Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Modify customization specification Promote disks Read customization specifications Service configuration Allow notifications Allow polling of global event notifications Manage service configuration Modify service configuration Query service configurations Read service configuration Snapshot management Create snapshot Remove snapshot Rename snapshot Revert snapshot vSphere Replication Configure replication Manage replication Monitor replication |
| vService | Create dependency Destroy dependency Reconfigure dependency configuration Update dependency |
| vSphere tagging | Assign and unassign vSphere tag Create vSphere tag Create vSphere tag category Delete vSphere tag Delete vSphere tag category Edit vSphere tag Edit vSphere tag category Modify UsedBy field for category Modify UsedBy field for tag |
Create custom roles on vCenter
Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role.
You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role. You can create roles with privileges greater than CloudAdmin, but you can't assign the role to any users or groups or delete the role.
To prevent creating roles that can't be assigned or deleted, clone the CloudAdmin role as the basis for creating new custom roles.
Create a custom role
Sign in to vCenter with cloudadmin@vsphere.local or a user with the CloudAdmin role.
Navigate to the Roles configuration section and select Menu > Administration > Access Control > Roles.
Select the CloudAdmin role and select the Clone role action icon.
Note
Don't clone the Administrator role because you can't use it. Also, the custom role created can't be deleted by cloudadmin@vsphere.local.
Provide the name you want for the cloned role.
Add or remove privileges for the role and select OK. The cloned role is visible in the Roles list.
Apply a custom role
Navigate to the object that requires the added permission. For example, to apply permission to a folder, navigate to Menu > VMs and Templates > Folder Name.
Right-click the object and select Add Permission.
Select the Identity Source in the User drop-down where the group or user can be found.
Search for the user or group after selecting the Identity Source under the User section.
Select the role that you want to apply to the user or group.
Check the Propagate to children if needed, and select OK. The added permission displays in the Permissions section.
NSX-T Manager access and identity
Note
NSX-T 3.1.2 is currently supported for all new private clouds.
Use the admin account to access NSX-T Manager. It has full privileges and lets you create and manage Tier-1 (T1) gateways, segments (logical switches), and all services. In addition, the privileges give you access to the NSX-T Tier-0 (T0) gateway. A change to the T0 gateway could result in degraded network performance or no private cloud access. Open a support request in the Azure portal to request any changes to your NSX-T T0 gateway.
Next steps
Now that you've covered Azure VMware Solution access and identity concepts, you may want to learn about: