已索引
几个术语
Privilege: An action that can be performed
Object: The target of the action
User or Group: Indication of who can perform the action
Role: A set of privileges
Permission: Gives one user or group a role(set of privileges) for the selected object
在VC中看到的各个对象,基本都有 permissions 标签页。
管理角色
点击 Memu > Access Control > Roles
查看到当前存在的角色列表
查看角色的使用情况
查看角色包含的权限
增加角色,删除角色,修改角色包含的权限
内置角色(管理员、只读、无权访问)不可修改,其它都可修改,但不建议修改。
可以从现有角色克隆一个角色来进行修改。
分配权限
点击对象 > 权限标签 > 添加按钮,输入如下信息即可:
Domain:
User/Group:
Role:
勾选是否继承到子对象(Propagate to children)
几个权限规则应用场景示例
场景1
A permission can propagate down the object hierarchy to all subobjects, or it can apply only to an immediate object. (子对象优化替代原则)
数据中心上给 Greg 分配 Read-Only (Propagate to children)
在数据中心下的虚拟机A上给 Greg 分配 Administrator
问:该虚拟机A和虚拟机B对于 Greg 的角色是什么?
虚拟机A: Administrator
虚拟机B: Read-Only
场景2
When a user is member of multiple groups with permissions on the same object, the user is assigned the union of privileges assigned to the groups for that object.(角色累加原则)
数据中心上给组分配权限如下:
Group1: VM_Power_On (Propagate to children)
Group2: Take_Snapshot (Propagate to children)
Members of Group1: Greg, Susan
Members of Group2: Greg, Carla
问:Greg 用户对于数据中心及其下的对象的角色是什么?
两个角色之和
这儿有个特殊的应用场景,假如数据中心上给组分配的权限如下:
Group1: Administrator (Propagate to children)
Group2: No Access (Propagate to children)
问:Greg 用户对于数据中心及其下的对象的角色是什么?
Greg has Administrator privileges.
场景3
A user can be a member of multiple groups with permissions on different objects. In this case, the same permissions apply for each object on which the group has permissions, as though the permissions were granted directly to the user.
数据中心上给group1分配Administrator(Propagate to children)
在数据中心下的虚拟机A上给 group2 分配 Read-Only
Members of Group1: Greg, Susan
Members of Group2: Greg, Carla
问:Greg 用户对于虚拟机A的权限是什么?
Read-Only,跟场景1类似(子对象优先替代原则)
场景4(特定用户角色优先替代原则)
A user (or group) is given only one role for any given object.
Permissions defined explicitly for the user on an object take precedence over all group permissions on that same object.
数据中心上权限分配如下:
Group1: VM_Power_On (Propagate to children)
Group2: Take_Snapshot (Propagate to children)
Greg: No Access (Propagate to children)
Members of Group1: Greg, Susan
Members of Group2: Greg, Carla
问:Greg 对于数据中心及其子对象所具备的权限?
No Access
