OIT VMware Access Information

Owned by Kazuto Okayasu
Last updated: Jul 25, 2023
5 min read

OIT's VMWare vShere service utilizes the campus' centralized authorization (KSAMS) and authentication systems (UCINetID/LDAP) for access. OIT DCI does not provision this access and is intended to be a self-service process.

KSAMS action items

KSAMS roles are used to provide authorization or permissions within vCenter.  vCenter permissions are granted to members of LDAP groups that are automatically populated from KSAMS roles. Even an individual who needs vCenter permissions on a single VM needs to have a KSAMS role to get those permissions. KSAMS roles usually come in pairs; one role is used for the permissions, and another to approve memberships to the permission role. Figure A shows the list of these Roles as they appear in KSAMS.

  • Via KSAMS ZotPortal App, request the Approver role for those who will approve the "Admin" role to those needing vCenter access to VMs.  Generally, a manager and director would have Approver roles.  OIT recommends having 2 or more Approvers. Approvers do NOT gain access to VMs.
  • After the Approver role is set up, direct everyone requiring vCenter access to VMs to the KSAMS ZotPortal App to request the "Admin" role.
    • NOTE: Requests for "Admin" roles submitted before the corresponding group's "Approver" request is completed will result in KSAMS ERRORS so please make sure at least one Approver is set up before adding Admins.
  • For simplicity and expediency, all users will initially be assigned permissions per Figure B for their designated group of VMs. We welcome input for other permission levels, as well as different user groupings going forward.

KSAMS example:

  • OIT's Data Center Infrastructure team uses the "vCenter - OIT vSphere Admins" and "vCenter - OIT vSphere Admins Approvers" roles.
  • Using the KSAMS ZotPortal App, a request was made to add Ken Cooper and Brian Buckler to the "vCenter - OIT vSphere Admins Approvers" role.
  • Each team member requested the "vCenter - OIT vSphere Admins" role.
  • Ken approved each request using the app.
  • vCenter access was granted.

DUO action items

Make sure all users requiring vCenter VM access have a DUO token set up through the DUO Enrollment App

vCenter Login Procedure

Can be found at New OIT VMware vCenter Login Procedure

Fig. A: KSAMS Roles

KSAMS Role NameKSAMS Approver Role NameIdentified Contact
vCenter - Arts AdminsvCenter - Arts Admins ApproversJason Valdry / Adalid Aguilar
vCenter - Bio Sci AdminsvCenter - Bio Sci Admins ApproversEric Sanchez / Matthew Martinez
vCenter - CALIT2 AdminsvCenter - CALIT2 Admins Approvers(Nobody)
vCenter - Education AdminsvCenter - Education Admins ApproversHyuk Kang
vCenter - Engineering AdminsvCenter - Engineering Admins ApproversJohn Romine / Dan Melzer
vCenter - Humanities AdminsvCenter - Humanities Admins Approvers(Nobody)
vCenter - Informatics AdminsvCenter - Informatics Admins Approvers(Nobody)

vCenter - Integrated Nanosystem Research Facility Admins

vCenter - Integrated Nanosystem Research Facility Admins ApproversPaul Bautista / Marc Palazzo
vCenter - Law School AdminsvCenter - Law School Admins ApproversPatty Furukawa / Joe Macavinta
vCenter - Library AdminsvCenter - Library Admins Approvers(Nobody)
vCenter - OIT Academic Affairs AdminsvCenter - OIT Academic Affairs Admins ApproversMax Garrick / Albert Chi
vCenter - OIT Athletics IT AdminsvCenter - OIT Athletics IT Admins ApproversTri Tran
vCenter - OIT AWT AdminsvCenter - OIT AWT Admins Approvers(Nobody)
vCenter - OIT Business Intelligence AdminsvCenter - OIT Business Intelligence Admins ApproversLarry Coon / Valerie Jones
vCenter - OIT Database AdminsvCenter - OIT Database Admins ApproversDeanna McMurray / Marina Arseniev
vCenter - OIT eDocs AdminsvCenter - OIT eDocs Admins ApproversLinh Nguyen / Robert Gallegos
vCenter - OIT EUS AdminsvCenter - OIT EUS Admins ApproversKyle Kurr /David Severance
vCenter - OIT Financial Svc AdminsvCenter - OIT Financial Svc Admins ApproversJames Hsu
vCenter - OIT Graduate Division Admins  vCenter - OIT Graduate Division Admins ApproversJames Tang

vCenter - OIT IAM Admins ApproversJosh Drummond / Warren Leung / Dana Watanabe
vCenter - OIT ILCS AdminsvCenter - OIT ILCS Admins ApproversDerrek Gabagat
vCenter - OIT MAI AdminsvCenter - OIT MAI Admins ApproversJason Lin /  Brian Craft
vCenter - OIT Network Engineer AdminsvCenter - OIT Network Engineer Admins ApproversAlbert Gonzalez / Bjorn Juslin
vCenter - OIT Office of Research Admins vCenter - OIT Office of Research Admins ApproversNoah Margolis / Eric Taggart
vCenter - OIT Parking and Distribution AdminsvCenter - OIT Parking and Distribution Admins ApproversClint Maruki / Matthew Lorenzo
vCenter - OIT Production and Operations Management AdminsvCenter - OIT Production and Operations Management Admins ApproversMichael Story
vCenter - QA AdminsvCenter - QA Admins ApproversMichael Story / Jason Lin / Thomas Bindewald
vCenter - OIT Security AdminsvCenter - OIT Security Admins ApproversJosh Drummond / Paul Kang
vCenter - OIT Specialized Desktop Support AdminsvCenter - OIT Specialized Desktop Support Admins ApproversSarkis Daglian / Jeremy Paje
vCenter - OIT Standard Desktop Support AdminsvCenter - OIT Standard Desktop Support Admins ApproversJeremy Paje
vCenter - OIT vSphere AdminsvCenter - OIT vSphere Admins ApproversKen Cooper / Henry Jenkins
vCenter - OIT WSG AdminsvCenter - OIT WSG Admins ApproversHeindrick Yu
vCenter - Social Ecology AdminsvCenter - Social Ecology Admins ApproversJennifer Lane
vCenter - Social Science AdminsvCenter - Social Science Admins ApproversJonathan Nilsson / Andrew Hill / Dominic Fiorello
vCenter - Strategic Comm AdminsvCenter - Strategic Comm Admins ApproversJim Kreuziger / Todd McGill

vCenter - VCSA Admins

vCenter - VCSA Admins Approvers

Wayne Fields / Steven Tajiri

vCenter - Applied Innovation AdminsvCenter - Applied Innovation Admins ApproversMarek Mandau
vCenter - OIT Facilities Mgmt AdminsvCenter - OIT Facilities Mgmt Admins ApproversJyoti Razdan
vCenter - WHCS AdminsvCenter - WHCS Admins ApproversJerome Reuter / Herbert Chan
vCenter - Read Only UsersvCenter - OIT vSphere AdminsDCI Team
vCenter - OIT OVPTL AdminsvCenter - OIT OVPTL Admins ApproversBrian Lance / Jeremy Thacker
vCenter - Physiology AdminsvCenter - Physiology Admins ApproversRie Nakajima / Aarti Jain/ Gildas Cadin
vCenter - OIT Research Cyberinfrastructure Center AdminsvCenter - OIT Research Cyberinfrastructure Center AproversPhil Papadopoulos


Fig. B: VM Permissions

Initially, all assigned users will have the set of permissions listed below:

    • Cryptographic Operations
      • Direct Access (allows console access to vTPM enabled VMs)
      • Encrypt (allows console power on/off vTPM enabled VMs)
      • Encrypt new (allows console power on/off vTPM enabled VMs)
      • Register VM (allows console power on/off vTPM enabled VMs)
    • Virtual Machine
      • Configuration
        • Modify Device Settings
        • Settings
        • Upgrade virtual machine compatibility
      • Interaction
        • Answer Questions
        • Configure CD Media
        • Console Interaction
        • Device Connection (NICs and removable media)
        • Power On
        • Power Off
        • Reset
        • VMware Tools Install
      • Snapshot Management
        • Create Snapshot
        • Remove Snapshot
        • Rename Snapshot
        • Revert Snapshot
    • Folder (This will only work on the sub-folders of where the role is assigned.)
      • Create
      • Delete
      • Rename
      • Move
    • Datastore (This is only to facilitate mounting ISO images from the shared ISO repository)
      • Browse datastore
      • Low level file operation

Fig. C: VM Tag data

PaaS Owner (Platform as a Service Owner)

UCInetID of user or group responsible for OS tasks. This UCInetID will be contacted for low-level changes such as disk space changes, VMWare Tools upgrades, etc.

  • UCInetID of Owner(s) or Group(s)

Data Owner

UCInetID of user or group responsible for app/data. This UCInetID will be contacted for (un)scheduled interruptions or other changes interrupting access to VM's data.

  • UCInetID of Owner(s) or Group(s)

Purpose

The VM’s primary purpose. These are tags in existence in ServiceNow and may be expanded.

  • application

  • database

  • domain_controller

  • file

  • mail

  • utility

  • web

Protection Level

The VM protection level represents the level of security protection needed for Institutional Information or an IT Resource. Definitions can be found at https://www.security.uci.edu/program/classification/

  • P4 - Critical

  • P3 - High

  • P2 - Medium

  • P1 - Low

Availability Level

The VM availability represents the business impact a disruption in the resource's availability has. This is used to determine the level of disaster recoverability, as well as the priority level of VM restart when there are infrastructure failures (via vSphere HA).

  • A4 - Major

  • A3 - Moderate

  • A2 - Minor

  • A1 - Minimal

vm_Backup_Job

The VM's Veeam backup job.