Objective 1.1 – Configure and administer role-based access control

Role-based access control (RBAC) is a common approach to managing authorizations and permissions, based on specific roles assigned to specific users or groups.

VMware vSphere provides the following four categories of permissions, from the most general to the most specific:

• Group membership in the SSO domain: Some users of the vCenter Single Sign-On (SSO) domain, such as the default administrator, have specific, implicit permissions. For more information, refer to Objective 1.3.
• Global permissions: These permissions are applied to a global root object, and can propagate to all objects. Also, they can span across different VMware products (for example, vSphere and vRealize Orchestrator).
• vCenter permissions: This is the main model used by vSphere Server to assign granular permissions to objects in different inventories.
• ESXi local permissions: Each ESXi host has local permissions, local rules, and local users. For hosts managed by vCenter, vCenter permissions are usually used. But local permissions still exist, and they are the only permission model for standalone ESXi hosts.

This chapter will mainly focus on vCenter and global permissions, as required by the exam questions. Objective 1.3 will provide more information about SSO-related concepts. ESXi local permissions are not covered in detail, but the RBAC model is quite similar to the one used by the vCenter permissions.

The official vSphere 6.5 Security Guide contains detailed information about authentication, authorization, and different permission configurations, and can be accessed at https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-652-security-guide.pdf.