HPE SimpliVity
cancel
Showing results for 
Search instead for 
Did you mean: 

Simplivity 4.0 RBAC Feature Question

 
Highlighted
Occasional Advisor

Simplivity 4.0 RBAC Feature Question

I was reading the release notes for 4.0 and the new RBAC features for backup users.  In the documentation it says that vsphere administrators are automatically given the Simplivity administrator role and can perform any function.  Does this mean that I need to assign our users as administrators in vsphere in order for them to use the Simplivity plugin for non backup features or is that just for backup administration?

Some members of our infrastructure team just need the ability to power on and off vm's\hosts when they are on call and I don't want to have to make them administrators globally in vsphere.

4 REPLIES 4
Highlighted
Advisor

Re: Simplivity 4.0 RBAC Feature Question

RBAC is in what I call beta phase. It is not in a state where is can be administered through the plugin and requires SSH'ing into the OVC's to run commands to enable. If you would like your team to have access to backups, they would also have access to a lot of other roles in vCenter, please refer to page 30-31 in the vSphere Administration guide. I copied the list below.

If you want someone on the team to have access to SimpliVity outside of this new RBAC backup role, they will need to be full global administrators in vCenter, outside of any groups.

If all you want someone to be able to do is turn on and off VMs, you can ignore all of this and create a custom role in vCenter and assign them to it.

Object Privilege
Alarm.Delete
Alarm.DisableActions
Alarm
Alarm.Edit
Extension.Register
Extension.Unregister
Extension
Extension.Update
Global.Diagnostics
Global.Health
Global.LogEvent
Global
Global.ManageCustomFields
Object Privilege
Global.SetCustomField
Host Host.Cim.CimInteraction
Resource Resource.AssignVMToPool
System.Anonymous
System.Read
System
System.View
Task Task.Create
Task.Update
VApp.ApplicationConfig
VApp.AssignVApp
VApp
VApp.Unregister
VirtualMachine.Config.ManagedBy
VirtualMachine.Config.Settings
VirtualMachine.GuestOperations.Query
VirtualMachine.Interact.SetCDMedia
VirtualMachine.Interact.DeviceConnection
VirtualMachine.Inventory.Move
VirtualMachine.Interact.PowerOff
VirtualMachine.Interact.PowerOn
VirtualMachine.Inventory.Register
VirtualMachine.Inventory.Unregister
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine
VirtualMachine.State.RevertToSnapshot

Highlighted
Occasional Advisor

Re: Simplivity 4.0 RBAC Feature Question

That's what we are stuck with today.  We want our backup team to have the option to do file restores from Simplivity and that is it but currently I have to give them the administrator role on all OVC's.

I would like only our server team to be full admins in vsphere and have our other infrastructure users with the least amounts of rights possible.  With the roles you listed would they be able to shutdown the OVC also if needed?  These users would only need to shutdown in the event of a building power outage which happens frequently for maintenance.

Highlighted
Advisor

Re: Simplivity 4.0 RBAC Feature Question

These are global roles, so they would be able to shutdown any VM in the infrastructure, as I read it. I was on the beta team dicussing this before this release, I have expressed my concerns about insider threats and they should be adding a lot of features to future releases.

This new backup RBAC role will allow your teams to restore files from backups. Unfortunatly to be able to restore backups for VMs, all of these roles will need to apply to them.

Highlighted
HPE Pro

Re: Simplivity 4.0 RBAC Feature Question

You would be able to shutdown the OVC but not shutdown the OVC in a safe manner in that the safeshutdown option would not be available unless the user is full admin,Nor would the role allow you to power off the ESXi.

The most requested use of RBAC in SimpliVity  was around backups where an organisation wanted users to be able to restore backups  which I think the 4.0 implementiaon provides.With the ability to power off the OVC and ESXi  that user is more akin to an full admin most organisations may not want that  , I am not sure it would be easy just to limit the plugin to show  the safeshutdown option without exposing the remove from federation commands ect. You could open a case as a feature request if it was something you really wanted.


I am an HPE employee
Accept or Kudo