Elevating VMware Engine privileges

Google Cloud VMware Engine privileges give vCenter users the privileges they need to perform normal operations. Some administrative functions require additional privileges in the private cloud vCenter. To perform such tasks, you can elevate privileges of a vCenter user for a limited elevation time interval.

Reasons for elevating privileges can include the following:

  • Configuration of identity sources
  • User management
  • Deletion of distributed port group
  • Creating service accounts

How privilege elevation works

You can elevate a remote user's privilege only if an additional identity provider is configured on vCenter. Elevation of privileges involves adding the selected user to the vSphere built-in Administrators group.

Users from additional identity sources who need administrative access must be added as members of the CloudOwner group. To grant fewer privileges compared to the CloudOwner group, create additional groups and assign users to that group.

Elevate privileges

  1. Access the VMware Engine portal
  2. Open the Resources page.
  3. Select the private cloud for which you want to elevate privileges.
  4. On the Summary page, under Change vSphere privileges, click Elevate.
  5. Select the vSphere user type. To use a configured identity source like Active Directory, choose Remote identity and enter the user and domain in the user principal name (UPN) format (for instance, user@domain).
  6. Select the elevation time interval from the list. Choose the shortest time interval that lets you complete the task.
  7. Select the checkbox to confirm that you understand the risks.
  8. Click Confirm.

The privilege elevation begins and lasts until the end of the selected interval. During this time, you can sign in to your private cloud vCenter to do particular administrative tasks.

Extend privilege elevation

If you require additional time to complete your tasks, you can extend the privilege elevation time interval. Choose the additional elevation time interval that lets you complete the administrative tasks.

  1. On the Resources page, select the private cloud for which you want to extend privilege elevation.
  2. On the Summary tab, click Extend privilege elevation.
  3. Select an elevation time interval from the list. Review the new elevation end time.
  4. Click Save.

Restore privileges

Privileges are automatically restored when the elevation time interval ends. If you complete the administrative tasks before the elevation time interval ends, we recommend that you restore your privileges.

  1. On the Resources page, select the private cloud for which you want to restore privileges.
  2. Click Restore.
  3. Click OK.

Forbidden actions

When VMware Engine detects any of the following forbidden actions, VMware Engine reverts the changes to ensure that service remains uninterrupted.

Cluster actions

The following cluster actions are forbidden:

  • Removing a cluster from vCenter.
  • Changing vSphere High Availability (HA) on a cluster.
  • Adding a host to the cluster from vCenter.
  • Removing a host from the cluster from vCenter.
  • Changing vSphere Distributed Resource Scheduler (DRS) on a cluster.
  • Renaming the cluster.

Host actions

The following host actions are forbidden:

  • Removing datastores on an ESXi host.
  • Uninstalling vCenter agent from host.
  • Modifying the host configuration.
  • Making any changes to the host profiles.
  • Placing a host in maintenance mode.

Network actions

The following network actions are forbidden in vCenter Server:

  • Deleting the default distributed virtual switch (DVS) in a private cloud.
  • Removing a host from the default DVS.
  • Importing any DVS setting.
  • Reconfiguring any DVS setting.
  • Upgrading any DVS.
  • Deleting the management portgroup.
  • Editing the management portgroup.

The following network actions are forbidden in NSX-T Manager:

  • Adding a new NSX-T Edge node.
  • Changing an existing NSX-T Edge node.

Roles and permissions actions

The following roles and permissions actions are forbidden:

  • Modifying or deleting permission to any management objects.
  • Modifying or removing any default roles.
  • Increase the privileges of a role to higher than of Cloud-Owner-Role.

Other actions

The following actions are additionally forbidden:

  • Removing any default licenses:
    • vCenter Server
    • ESXi nodes
    • NSX-T
    • HCX
  • Modifying or deleting the management resource pool.
  • Cloning management VMs.
  • Assigning a management network to a workload VM.
  • Using an IP address in the management network IP address range for a workload VM.
  • Renaming the datacenter.
  • Configuring syslog forwarding using the vCenter Server Appliance Management Interface (VAMI).
  • Joining your private cloud vCenter to an Active Directory domain.
  • Resetting vCenter or NSX-T sign-in credentials using VMware tools or API calls. As a reminder, you can retrieve or reset generated credentials from the private cloud details page.
  • Changing statistics collection intervals or statistics levels in the vSphere Client.

What's next