Hello,
I've been searching for any documentation or guides describing how best to go about setting up roles and permissions in an environment where there are multiple types of employees, all needing specific types of accesses in vCenter. For example, we have:
Storage Engineers who need access to a small subset of internal VMs (those that pertain to managing the SANs) as well as being able to add LUNs to Hosts, and then moving those datastores around to the appropriate folder in the Datastores view
Network Engineers who need to have access to just the DVSes and being able to create port groups, as well as their own small subset of VMs
IT Users with access to be able to assign storage to only Internal LUNs, use Internal VLANs, manage Internal VMs
Linux Admins who support Customer VMs, need access to reassign NICs to only a subset of DVSes and Datastores
etc.
I'm familiar with how to create custom roles, grant permissions to users, but what I'm looking for is more of a guide on strategy of how to accomplish this, perhaps some custom made roles for similar job-types.
I understand that the best approach is to create a group for each of these types, and then define specifically what each of these groups can do, but what I'm confused about is how to apply the roles to the different areas within vCenter. Do I create different custom roles applicable for each of the areas (VMs, Hosts, Datastores, Networking) and then try to structure the objects within each of those areas so that I can give the permissions to the group on a folder level in each of the appropriate sections?
Any guidance is welcome.
Thanks in advance,
Charlie