Subscribe

Restrict access to VSC

I am looking for a way to restrict access to VSC from the VCenter client. Currently anyone who has access to Vcenter can simply go to Home in Vcenter and click the Netapp icon. Thus allowing them to have full-reign on the Netapp integration portion. Obviously I don't want this.

Is there a way to block this? I haven't had any luck searching the forums. I did find one post on VMware forums regarding IPSec blocking, but I would rather not get into that. There has to be a cleaner option.

Thanks in advance!

Re: Restrict access to VSC

The KB here https://kb.netapp.com/support/index?page=content&id=1013627 should help you. You'll need a NetApp NOW/Support site login to view this.

Re: Restrict access to VSC

Thank you for your reply. The KB you mention is one that I have followed. It provides guidelines on how to allow VSC to only have access to the portions of VCenter it needs to carry out Netapp functions in VCenter. What it doesn't explain is how to restrict access to the Netapp portion itself.

Currently I have a user who has read-only permissions in Vcenter, they can't do anything other than view. However they have full-control in VSC to do anything they want. I'm not trying to figure out how to limit VSC from having access to VCenter, I'm trying to figure out how to limit Vcenter users from accessing VSC.

Re: Restrict access to VSC

I understand that you want the VSC plugin to disappear for some users. While I am not aware of a solution for that, my personal opinion is that it may be something that is not in NetApp's control. VMware should have more control over what gets visible in the VI client.

Re: Restrict access to VSC

A fair statement, however... Netapp writes it's plug-ins to work with VCenter, it's a value-added product. You can't stick this Netapp plug-in into Vmware's product, then turn around and put the onus on VMware to lock it down. Netapp is adding this function, therefore Netapp should put a solution in place to lock it down. As far as Vmware is concerned, most of their customers may never need to do this, so why would they put forth an effort to fix it? You could speak globally of all vendor's plug-ins, but again I'm sure the vendors are doing something to lock down their own product.

Then there's also the fact if I posted this question on Vmware, I would get the same response you are giving me, "it's the other guys problem". In fact, here is an example. This guy tried Vmware, I'm trying Netapp. Both of us will get nowhere.

http://communities.vmware.com/thread/310293

Consider this...I use VMware Update Manager. The only systems I can use this feature on are systems where I have specifically installed the plug-in. At the very least I can prevent access by not exposing the plug-in installer. I can't even do this with VSC. Any computer I install the VI Client on has the Netapp Plug-in right there and anyone can access, I literally have no control over who gets the plug-in. I would say that's a Netapp issue in the way the plug-in is installed. If my team couldn't see the plug-in, that would be a very large step toward achieving what I want.

We could go back and forth all day on this, however I feel Netapp should be the ones to deal with it.

If you aren't aware of a solution, then I will open a case and if I get a solution, I will post it here.

Thank you for making an effort.

Re: Restrict access to VSC

VSC is a server side plugin where as VUM is client side which requires VUM to be installed on every client. Both deployment models have their pros and cons. You could disable a plugin in the VI client but that may not be enough for what you are looking at. A support case will help justify filing of a RFE. I hope VMware could introduce security roles capable of preventing exposure of the plugins to users (not sure if they already have them).

Thanks..

Re: Restrict access to VSC

I've just come to realize that there are VSC roles I can create related to Provisioning and Cloning, however the Backup and Recovery tab is wide-open. So it would appear that Netapp has actually taken a step to lock this down, but the Backup jobs are still wide open for anyone to access. Even someone who has read-only.

Do you know if any improvements have been made in VSC 4 that might improve this? I plan on upgrading, but if these issues are solved I will fast track it.

Thank you

Re: Restrict access to VSC

We are running into the exact same problem. We have certain administrators we only want to be able to access some VM's but they are NOT allowed to be able to modify the backups. With the netapp tab installed they can edit all the backup schedules, cancel jobs and start a task. Does anyone know of a way to limit this yet ?

During testing of this we only allowed the user to have interaction with console and they still have free rain on the netapp tab.

We are also running VSC 4

Re: Restrict access to VSC

I too would like to know if there is any way to restrict access to the VSC console.  It seems dangerous to leave the Backup and Recovery portion of the console wide open to any user who has access to vCenter through the vSphere Console.

Thanks.

Re: Restrict access to VSC

I recently upgraded to VSC v 4.1 from 2.1.2 and we're using vSphere v5.0.0 and it appears NetApp has at least added a privilage section within the vSphere Roles called 'NetApp Virtual Storage Console' with a checkbox to lock down their new 'Optimization and Migration' features unlocked in v4.1 but even if you don't select that as a permission level for a read-only type role, the users in that vSphere role can still access the VSC plug-in with essentially administrator privilages as the thread states from everyone above.  Why they didn't include a checkbox for access to the plug-in all together I have no idea, maybe it's in their next release of VSC...  I'm actively searching for a resolution to this issue as it's directly affecting our Org as well, if I find anything i'll post it...