Elevating VMware Engine privileges

Google Cloud VMware Engine privileges give vCenter users the privileges they need to perform normal operations. Some administrative functions require additional privileges in the private cloud vCenter. To perform such tasks, you can elevate privileges of a vCenter user for a limited elevation time interval.

Reasons for elevating privileges can include the following:

  • Configuration of identity sources
  • User management
  • Deletion of distributed port group
  • Installing vCenter solutions (such as backup apps)
  • Creating service accounts

How privilege elevation works

You can elevate a remote user's privilege only if an additional identity provider is configured on vCenter. Elevation of privileges involves adding the selected user to the vSphere built-in Administrators group.

Users from additional identity sources who need administrative access must be added as members of the CloudOwner group. To grant fewer privileges compared to the CloudOwner group, create additional groups and assign users to that group.

Elevate privileges

  1. Access the VMware Engine portal
  2. Open the Resources page.
  3. Select the private cloud for which you want to elevate privileges.
  4. On the Summary page, under Change vSphere privileges, click Elevate.
  5. Select the vSphere user type. Only the CloudOwner@gve.local user can be elevated.
  6. Select the elevation time interval from the list. Choose the shortest time interval that lets you complete the task.
  7. Select the checkbox to confirm that you understand the risks.
  8. Click Confirm.

The privilege elevation begins and lasts until the end of the selected interval. During this time, you can sign in to your private cloud vCenter to do particular administrative tasks.

Extend privilege elevation

If you require additional time to complete your tasks, you can extend the privilege elevation time interval. Choose the additional elevation time interval that lets you complete the administrative tasks.

  1. On the Resources page, select the private cloud for which you want to extend privilege elevation.
  2. On the Summary tab, click Extend privilege elevation.
  3. Select an elevation time interval from the list. Review the new elevation end time.
  4. Click Save.

Restore privileges

Privileges are automatically restored when the elevation time interval ends. If you complete the administrative tasks before the elevation time interval ends, we recommend that you restore your privileges.

  1. On the Resources page, select the private cloud for which you want to restore privileges.
  2. Click Restore.
  3. Click OK.

Forbidden actions

During the elevation time interval, some actions are forbidden. When VMware Engine detects any of the following forbidden actions, VMware Engine reverts the changes to ensure that service remains uninterrupted.

Cluster actions

  • Removing a cluster from vCenter.
  • Changing vSphere High Availability (HA) on a cluster.
  • Adding a host to the cluster from vCenter.
  • Removing a host from the cluster from vCenter.

Host actions

  • Removing datastores on an ESXi host.
  • Uninstalling vCenter agent from host.
  • Modifying the host configuration.
  • Making any changes to the host profiles.
  • Placing a host in maintenance mode.

Network actions

  • Deleting the default distributed virtual switch (DVS) in a private cloud.
  • Removing a host from the default DVS.
  • Importing any DVS setting.
  • Reconfiguring any DVS setting.
  • Upgrading any DVS.
  • Deleting the management portgroup.
  • Editing the management portgroup.

Roles and permissions actions

  • Creating a global role.
  • Modifying or deleting permission to any management objects.
  • Modifying or removing any default roles.
  • Increase the privileges of a role to higher than of Cloud-Owner-Role.

Other actions

  • Removing any default licenses:
    • vCenter Server
    • ESXi nodes
    • NSX-T
    • HCX
  • Modifying or deleting the management resource pool.
  • Cloning management VMs.

What's next