Use > Virtualization management > Manage permissions

Manage permissions

This section describes how to set permissions in your virtualization environment. For more information on permissions, see the SA 10.51 Administer section.

Virtualization user groups

Permissions are granted through user groups. SA provides a set of user groups based on typical roles that are intended to help you set up your own user groups specific to your environment.

Make a copy of the HPE-provided user groups listed in the following table and modify them to provide the permissions your staff needs. These user groups are provided as a starting point, and you should create your own user groups based on these user groups.

User group name Description
Virtualization Administrators Access to add, edit, and remove virtualization services, manage life cycle of VMs and VM templates, and administer permissions for your virtualization inventory.
VM Life Cycle Managers Access to manage life cycle of VMs, including create, modify, migrate, clone, remove VMs, VM power controls, and deploy VMs from VM templates.
VM Template Deployers Access to deploy VMs from VM templates, clone VMs, and VM power controls.
VM Template Managers Access to manage life cycle of VMs and VM templates, including create, modify, migrate, clone, remove VMs, VM power controls, convert VMs to VM templates, deploy VMs from VM templates, and remove VM templates.

Virtualization permissions

To perform virtualization actions, you need the following four types of permissions:

  • Action Permissions allow you to perform specific tasks such as cloning a VM, deploying a VM from a VM template, converting a VM to a VM template, and so forth. Without action permissions, the corresponding menu items are not even displayed in the Actions menu of the SA Client. For a complete list of action permissions, see the SA 10.51 Administer section.
  • Virtualization Container Permissions give you access to the Virtualization Services and the containers under the VS. These containers can be datacenters, hypervisors, host groups, clusters, resource pools, folders, and projects under the Virtualization Service.
  • Server Resource Permissions give you access to facilities, customers, and device groups where the VMs will run. For more information on server resource permissions, see the SA 10.51 Administer section.
  • Folder Permissions give you access to items in the SA Library needed by VMs, such as OS Build Plans, patches, and patch policies, software packages and software policies, application configurations, audit policies, and reports. For more information on folder permissions, see the SA 10.51 Administer section.

The following figure shows some of the key permissions needed to create a VM for the customer Acme and provision it with an OS Build Plan.

Partial permissions needed to create a VM

Depending on your particular virtualization hierarchy, some or all of the following permissions are required for complete authorization to create a VM:

  • Action Permissions: These action permissions are required to create and provision a VM.
    • Manage VM Life Cycle: Create VM - This is the basic action permission required to create a VM.
    • Managed Servers and Groups - This is the basic action permission required to view managed servers.
    • View Virtualization Inventory - This is the basic action permission required to view the virtualization inventory under the Virtualization tab in the SA Client. Without this permission, the Virtualization tab is not displayed in the SA Client.
    • Allow Execute OS Build Plans - This is the action permission required to provision a server using an OS Build Plan.
    • Manage Package = Read - This action allows you to select the boot image ISO in the SA client when performing an OS Build Plan without network boot, or PXE.
  • Virtualization Container Permissions: These permissions depend on how your virtualization hierarchy is organized.
    • Inventory Folder: Write - This gives you write access to the virtualization inventory folder where the new VM will be stored.
    • Hypervisor: Write - This gives you write access to the hypervisor where the new VM will run.
    • Resource Pool: Write - This gives you write access to the resource pool where the new VM will run.
    • Datacenter: Read - This gives you write access on the datastores underlying that datacenter.
  • Server Resource Permissions: Server resource permissions allow you to modify a limited set of specific VMs. For example, you may modify VMs assigned to Customer1, but not VMs assigned to Customer2.
    • Facility: Write - This gives you write access to the facility where managed servers are located.
    • Customer: Write - This gives you write access to the managed servers assigned to the customer. Every managed server is assigned to a customer, and you must grant access permissions to customers.
    • Device Groups: Write - This gives you write access to the device groups in which your VMs will be included automatically. For more information on device groups and customers, see the SA 10.51Use section.
  • Folder Permissions: These permissions give you access to items in the SA Library and depend on where (in which folder) these items are located in the SA Library.
    • OS Build Plan folder: Execute - This gives you permission to use the OS Build Plans in the folder.

Setting virtualization container permissions

This section describes how to set virtualization container permissions. For information on the other types of permissions (action permissions, server resource permissions, and folder permissions), see the SA 10.51 Administer section.

To perform any virtualization actions, including creating, deleting, modifying, or viewing items in your virtualization inventory, you must have virtualization container permissions, such as a datacenter, host, resource pool, and host cluster, on the container of the virtual resources.

  • All folders that reside above the targeted hypervisor and the inventory folder must have List permission.
  • VMs and VM templates inherit permissions from their parent container.
    • In vCenter, you must have at least Read permission on a folder to view and manage the VMs and VM templates on that folder.
    • In SCVMM, you must have at least Read permission on a hypervisor to view and manage the VMs hosted by that hypervisor. To view all templates in SCVMM, you need at least Read rights on the “All VM Templates” folder.
    • In OpenStack, you must have at least Read permission on a project to view the VMs in that project.

To set access permissions on virtual resources:

  1. In the SA Client, locate the virtual resource where you want to set permissions. For example, the following figure shows a datacenter, a cluster within a datacenter, and a server within the cluster on the VS:

  1. Select the virtual resource where you want to set permissions, then right-click and select Permissions. This displays the permissions window for that resource. The following figure shows the virtualization container permissions window for the cluster named jlCluster.

  1. Select the user or user group on which you want to set permissions. Use the Add and Remove buttons to add or remove user groups and users.

Grant permissions only to user groups, not to individual users. Granting permissions through user groups is recommended, because it is more manageable and maintainable than granting permissions to individual users. For more information on user groups, see the SA 10.51 Administer section.

  1. Select the check boxes to grant the desired permissions.
  2. Select Apply or OK to save the permissions.
  3. If the virtualization container is itself contained within other ancestor virtualization containers, you may be asked to grant List permissions on the ancestor containers.

    If the virtualization container contains other children containers, you may be asked to grant the same permissions to the children containers.

    If asked, select whether or not to propagate the permissions to the ancestor containers or the children containers.

  4. Select Apply or OK to save the permissions.