Skip to main content
Pure Technical Services

vSphere Plugin User Guide: Role-Based Access Control (RBAC) with the Remote Plugin

Currently viewing public documentation. Please login to access the full scope of documentation.

RBAC for the HTML vSphere Plug-in Overview

Limiting who is able to do what in any datacenter environment is a core element in separating responsibilities and protecting against accidental or nefarious actions from users.  In version 5.0 of the vSphere plugin, we are happy to introduce the ability to define vSphere-based roles and permissions for Pure Storage that cover VMware storage-related tasks.  This capability enables vSphere administrators to enforce granular controls over other administrators and consumers of the vSphere environment at the storage layer.

There are a few key terms and definitions that we will define to help provide context for the remainder of this KB article.

A vCenter Role is simply a collection of one or more action(s) that can be executed.  Available roles are grouped together within vCenter, so for example there is a Pure Storage set of available roles and a separate set of roles that applies to ESXi hosts.  A role can contain as few as one but as many actions as you wish to give to it.  The Administrators role which is built-in to vCenter by default has all available actions available to it.

A vCenter Permission is the mechanism by which you define who is able to do what where.  Permissions require a user and/or a group and a role to be assigned to them.  Permissions can leverage users or groups from the local vCenter or from something external like Active Directory (AD) if the vCenter has been joined to the domain.  Finally, permissions can be defined globally or they can be associated with individual objects within a vCenter instance like a Distributed Switch or a single ESXi cluster.

A vCenter Object is simply something that exists within a vCenter instance.  Examples can include a FlashArray, a datastore, a cluster or a distributed switch just to name a few.  Objects are generally what permissions and roles are able to or not able to view or manipulate.

Requirements:

  • Minimum Plugin Version:  Remote Plugin 5.0.0
    • Installation Instructions for the vSphere Remote Plugin can be found here.
  • Minimum Purity Version:  4.10
  • Minimum vCenter Version:  6.7U3
  • If Active Directory or other Identity Source is to be used, the vCenter instance needs to be registered against it.  Here are instructions for how to join vCenter to an Active Directory (AD) domain.  In the following examples, our vCenter instance is joined to a Windows AD domain.

How to Create a vSphere Role with Pure Storage Permissions

Role creation for use with Pure Storage within vCenter is no different than creating any other vCenter-based role so long as the plugin has been installed to make the Pure Storage roles available.  To start, click on the vCenter Menu button and click on Administration.

rbac1.png

From the Administration menu, next click on the Roles option and then click on the + sign to create a new role.  Alternatively, an existing role can be edited to add Pure Storage permissions to it but for this example we will create a new role.

rbac2.png

In the New Role wizard, scroll down to the Pure Storage section and select the action(s) that you want the new role to be able to do.  At the end of this guide, we show minimum permissions required in order to perform various vCenter actions with Pure Storage.  Some Pure Storage actions only require selections from the Pure Storage role section while others require permissions from other areas as well.  Multiple actions can be combined into a single role depending on how much or how little you want the role to be able to do.  Once you have selected one or more actions for the new role click on the Next button.

rbac3.png

Provide a Name for the new role and optionally provide a Description.  Click on Finish to complete.

rbac4.png

The new role is now available to be assigned as a Global Permission within vCenter or can be directly assigned to a FlashArray as we will show in the next section.

How To Assign Role-Based Permissions within vCenter

Many of the daily operations needed by someone administering Pure Storage will include roles external to the Pure Storage set of roles.  As an example, creating a new datastore not only requires appropriate permissions to the underlying FlashArray but also requires ESXi host permissions to perform operations like scanning the HBAs and datastore permissions to allocate new space.  As such, we will show one way to associate a role with a user or group of users within vCenter so that it applies to the necessary objects.

To start, return to the vSphere Administrative menu and click on Global Permissions.  Then click on the + sign to add a new permission.

rbac11.png

In the Add Permission screen, first select the Domain to be used (Active Directory in this example), enter the User or Group in that domain you want and then pick the Role from the pull-down menu.  Optionally select if you want the permission to Propagate to children and finally click on OK.

rbac12.png

Returning to the sample Role defined in the previous section, we can see under Usage that a single user now has this role assigned to them.

rbac13.png

How To Assign Role-Based Permissions to a Pure Storage FlashArray

The permission assignment process shown in the previous section must also be applied in similar fashion within the Pure Storage plugin so that it applies to Pure Storage objects.

To get started assigning a role-based permission to a Pure Storage FlashArray, we first need to add a FlashArray to vCenter.  To access the plugin, go to the vCenter Menu and then select Pure Storage.

rbac5.png

Click on the + ADD button to add an array.  Note that the user adding a FlashArray must always be a member of the vCenter Administrators group.

rbac6.png

In the Add Array wizard, provide a Array Name, the IP Address (typically the VIP) and Username/Password for the Flasharray.  Click on Submit to complete.

rbac7.png

With the FlashArray now added, Select the array, click on the Permissions tab and then click on the + sign to give a user or group permissions over the FlashArray.

rbac8.png

In the Add Permission window, confirm the Array is the one you want to add the permission to, then from the pull down menu pick the Domain, followed by the User or Group you want to use for the permission.  Lastly, select the Role you wish to assign against the FlashArray and click Submit.

rbac9.png

In the below screen capture we can see that we have successfully assigned a user (vvols) the role of virtual volumes admin.

rbac10.png

Video Demo of Using Pure Storage vSphere RBAC

Minimum Permissions Matrix for Pure Storage vSphere RBAC

The below table shows the minimum permission needed to perform 

FlashArray VMware Component
Pure Storage Action
Minimum vSphere Permissions Required
FlashArray Management    
 

Add FlashArray to vCenter

User must be in the administrators@vsphere.local (or equivalent SSO) domain.
  Edit Existing FlashArray
  • Administration
    • Display Array
    • Edit Array
  Remove FlashArray from vCenter
  • Administration
    • Display Array
    • Remove Array
 

Modify FlashArray Roles

 

Applies to existing FlashArray permissions only.  That is, cannot add a new permission to a FlashArray.  That capability is reserved for users in the Administrators@vsphere.local group.

  • Administration
    • Display Array
    • Modify Roles
ESXi Host Management    
 

Add Host Group to FlashArray*

 

*Note that for iSCSI-based arrays the configure ESXi Host iSCSI permission listed below will also be required if software iSCSI has not been enabled on the ESXi hosts.

  • Administration
    • Display Array
  • Host Management
    • Add Array Host Group
  Rename Host
  • Administration
    • Display Array
  • Host Management
    • Rename Host
 

Disconnect Host from FlashArray Host Group

  • Configuration
    • Maintenance

  • Administration
    • Display Array
  • Host Management
    • Disconnect Host
  Configure ESXi Host iSCSI

  • Configuration
    • Storage partition configuration

  • Administration
    • Display Array
  • Miscellaneous
    • Configure iSCSI
Protection Groups    
  Import Protection Groups

  • Administration
    • Display Array
  • Virtual Volume Management
    • Import Protection Groups

  • Profile-driven storage update
  • Profile-driven storage view
Snapshot Management    
  Create Snapshot
  • Snapshot Management
    • Create Snapshot
  Copy Snapshot

  • Configure datastore
  • Low level file operations
  • Rename datastore

  • Configuration
    • Storage partition configuration

  • Administration
    • Display Array
  • Snapshot Management
    • Copy Snapshot
  • Volume Management
    • Create VMFS Datastore
    • Mount Datastore
  Restore Snapshot

  • Snapshot Management
    • Restore Snapshot
  Delete Snapshot
  • Snapshot Management
    • Delete Snapshot

VMFS Management

Create VMFS Datastore

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Volume Management
    • Create VMFS Datastore
    • Mount Datastore
  Edit VMFS Datastore

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Volume Management
    • Edit Datastore
  Run and Schedule Space Reclamation

  • Configuration
    • Storage partition configuration

  • Administration
    • Display Array
  • Volume Management
    • Run Space Reclamation
    • Schedule Space Reclamation
  Destroy VMFS Datastore

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Volume Management
    • Delete Datastore
    • Unmount Datastore
vVols Management Register Storage Provider

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Virtual Volume Management
    • Create vVol Datastore

Storage views

  • Configure service
  • View
  Create vVols Datastore

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Virtual Volume Management
    • Create vVol Datastore

Storage views

  • Configure service
  • View
  Unmount vVols Datastore

Host

  • Configuration
    • Storage partition configuration

Pure Storage

  • Administration
    • Display Array
  • Volume Management
    • Unmount Datastore

Storage views

  • Configure service
  • View
  Create Virtual Disk

  • Allocate space

  • Local operations
    • Reconfigure virtual machine

  • Administration
    • Display Array
  • Virtual Volume Management
    • Create Virtual Disk

  • Change Configuration
    • Add new disk
  Create a Virtual Volume ???
  Replace (Overwrite?) a Virtual Volume
  • Virtual Volume Management
    • Replace a Virtual Volume
  Restore Deleted Virtual Volume

  • Browse datastore
  • Configure datastore
  • Low level file operations

  • Local operations
    • Reconfigure virtual machine

  • Administration
    • Display Array
  • Virtual Volume Management
    • Restore Deleted Virtual Volume

  • Change Configuration
    • Add existing disk
    • Change Settings
  Snapshot Virtual Volume

  • Virtual Volume Management
    • Snapshot Virtual Volume
 

Undelete vVols VM

(these can likely be trimmed)

  • Allocate space
  • Browse datastore
  • Configure datastore
  • Low level file operations

  • Local operations
    • Create virtual machine
    • Reconfigure virtual machine

  • Virtual Volume Management
    • Undelete vVols VM

  • Assign virtual machine to resource pool

  • Profile-driven storage update
  • Profile-driven storage view

  • Change Configuration
    • Add existing disk
    • Advanced configuration
    • Change Settings
    • Modify device settings
    • Toggle disk change tracking
  • Edit Inventory
    • Create from existing
    • Create new
    • Register
  • Interaction
    • Connect devices
  • Provisioning
    • Allow disk access
    • Mark as virtual machine
  • Snapshot management
    • Create snapshot
    • Remove snapshot
    • Revert to snapshot
  Remove hard disk

  • Local operations
    • Reconfigure virtual machine

  • Change Configuration
    • Remove disk