Configure plugin access permissions
You can configure access permissions for the Storage Plugin for vCenter, which includes users, roles, and privileges.
Review required vSphere privileges
To access the plugin within the vSphere Client, you must be assigned to a role that has the appropriate vSphere privileges. Users with the “Configure datastore” vSphere privilege have read-write access to the plugin, while users with the “Browse datastore” privilege have read-only access. If a user has neither of these privileges, the plugin displays an “Insufficient Privileges” message.
Plugin access type | vSphere privilege required |
---|---|
Read-Write (Configure) |
Datastore.Configure |
Read-Only (View) |
Datastore.Browse |
Configure Storage Administrator roles
To provide read/write privileges for plugin users, you can create, clone, or edit a role. For more information about configuring roles in the vSphere Client, see the following topic in the VMware Doc Center:
Access role actions
-
From the home page of the vSphere Client, select Administrator from the access control area.
-
Click Roles from the access control area.
-
Perform one of the following actions:
-
Create new role: Click on the Create Role action icon.
-
Clone role: Select an existing role and click on the Clone Role action icon.
-
Edit existing role: Select an existing role and click on the Edit Role action icon.
-
The Administrator role is not editable. |
The appropriate wizard appears, depending on the above selection.
Create a new role
-
In the Privileges list, select the access permissions to assign to this role.
To allow Read-Only access to the plugin, select
. To allow Read-Write access, select . -
Assign other privileges for the list if needed, and then click Next.
-
Name the role and provide a description.
-
Click Finish.
Clone a role
-
Name the role and provide a description.
-
Click OK to finish the wizard.
-
Select the cloned role from the list, and then click on Edit Role.
-
In the Privileges list, select the access permissions to assign to this role.
To allow Read-Only access to the plugin, select
. To allow Read-Write access, select . -
Click Next.
-
Update the name and description, if desired.
-
Click Finish.
Edit an existing role
-
In the Privileges list, select the access permissions to assign to this role.
To allow Read-Only access to the plugin, select
. To allow Read-Write access, select . -
Click Next.
-
Update the name or description, if desired.
-
Click Finish.
Set permissions for vCenter Server Appliance
After setting privileges for a role, you must then add a permission to the vCenter Server Appliance. This permission allows a given user or group access to the plugin.
-
From the menu dropdown list, select Hosts and Clusters.
-
Select the vCenter Server Appliance from the access control area.
-
Click the Permissions tab.
-
Click the Add Permission action icon.
-
Select the appropriate domain and user/group.
-
Select the role created that allows for the read/write plugin privilege.
-
Enable the Propagate to Children option, if needed.
-
Click OK.
You can select an existing permission and modify it to use the created role. However, be aware that the role must have the same privileges along with read/write plugin privileges as to avoid a regress in permissions. |
To access the plugin, you must log in to the vSphere Client under the user account that has the read/write privileges for the plugin.
For more information about managing permissions, see the following topics in the VMware Doc Center: