vSphere 7 Content Libraries Part-3: Permissions

In previous two posts, Part-1 and Part-2, we talked about reasons to use Content library, creating Local and subscribed libraries, and also deployment models for Content Libraries. In this post, we will discuss about Permission management and required access level to work with content libraries.

Content library Permissions

In continuation of our discussion from previous posts about duplication, data modification and secure access, this post will focus on permission management of content libraries in order to ensure controlled secure access to the libraries. By default, not every user who can login to vCenter server can access and manage the content libraries. We will need to explicitly grant permissions to the users for accessing or managing the content library.

In previous vSphere versions, While configuring permission in vCenter server, we have two types of permissions, Global permissions and vCenter Server permissions. vCenter Server Permissions are granted on vCenter Server or vCenter inventory and are applicable to Inventory objects of that vCenter server where permissions are granted. vCenter Server is a parent for inventory objects. As in image below, examples of inventory objects are Datacenter, Cluster and so on.

vCenter Server permissions are not applicable for objects whose parent is global root. And as in image below, for Content library that is the case, because content library is not the child of vCenter inventory. Hence, global permissions are required to manage Content library. Still not getting, don’t worry there is an example coming up next where I’ll test this in lab.

One more point here is that, permissions applied at global root level are applicable to entire tree which also includes vCenter and its inventory objects as global root object is also the global parent. So because of parent child relationship and inheritance, permissions will get propagated to child objects.

Now in vSphere 7, all component of PSC and vCenter are merged under vCenter role. Does that change the permission management for content library and other objects in vSphere 7?

Not at all, in vSphere 7, content library still has global root as parent and needs to be managed through global permission. Below is the detailed hierarchical digram of parent child relationship in vSphere 7.

Image: VMware

Let us understand with an example here in our lab. I’ll assign a normal AD user as full administrator of vCenter server inventory and also propagate rights to child object’s and see if I can manage the content library.

  • I created a normal user in Active Directory.
  • Later added this user with administrator role for entire vCenter inventory.

With that done, let’s login with this user and try to manage existing libraries and create new library.

After logging with mentioned user, I just navigated to Content libraries and its blank here. We don’t see any of the libraries we created in previous posts. Actually, If an user has Administrator role assigned on a vCenter Server level, then user has sufficient privileges to manage the existing libraries that belong to that vCenter Server instance, but user cannot see the libraries unless user has been granted with at least a read-only role as a global permission. So till then user cannot manage the existing libraries.

If I try to create new Content Library, it allows me to click Create and walkthrough the wizard but at the end, it fails with error message as ‘Unautorized’. Basically we cannot create new libraries but can manage existing ones if assigned with read only role global permission.

So how do I enable this user to manage and create a content library?

In order to allow users to work with content library and create them, we need to assign content library administrator permission to user from global permission. Navigate to administration page, and add the user to global permissions as shown in below screenshot.

For demo purpose I have used content library administrator (sample) role, in production environment it is recommended not to use any sample roles directly as they can be used as templates for future custom role creations. Instead, copy the sample role and create custom role and then assign it to the user.

After assigning the global permissions to the user, we can verify the permissions by logging in with the user in question and if you notice, I can see my libraries now. In fact, I granted this user with content library administrator role as global permission not just read only, so this user can create a library as well.

Content Library Administrator Role

If a user has content library administrator role, user can perform the tasks such as. 

  • Create, edit, and delete local or subscribed libraries. 
  • Create and delete subscriptions to a local library with publishing enabled. 
  • Publish a library or a library item to a subscription. 
  • Synchronize a subscribed library and synchronize items in a subscribed library. 
  • View the item types supported by the library. 
  • Configure the global settings for the library. 
  • Import items to a library. 
  • Export library items.

I’ll end this post here to keep this topic only about permissions. In next post Part-4, we will discuss the topic of content library replication.

3 thoughts on “vSphere 7 Content Libraries Part-3: Permissions

  1. I have managed to deploy the content library and my admin users can manage the content library by uploadind items, create new content libraries, etc, etc. The problem I’m facing is that those users cannot create a new VM using a template from the content library.

    1. Make sure that when you upload a template in library, it is added as vm template and not as OVF. Also, users need to have access to library in order to deploy a VM from template in a library.

Leave a Reply