Creating a Special Role on vCenter and Assigning the Role to a Local/Domain User

Like ESX servers, vCenter servers too terminate user sessions based on timeout periods. The default timeout period is 30 mins. When you stop an agent, sessions currently in use by the agent will remain open for this timeout period until vCenter times out the session. If the agent is restarted within the timeout period, it will open a new set of sessions. If you want the eG agent to close already existing sessions on vCenter before it opens new sessions, then, when monitoring ESX servers via vCenter, you would have to configure the tests with the credentials of a user with permissions to View and stop sessions on vCenter (prior to vCenter 4.1, this was called the View and stop sessions permission).

When the eG agent is started/restarted, it first attempts to connect to the vCenter server and terminate all existing sessions for the user whose credentials have been provided for the tests.

This is done to ensure that unnecessary sessions do not remain established in the vCenter server for the session timeout period.  Ideally, you should create a separate user account with the required credentials and use this for the test configurations. If you provide the credentials for an existing user for the test configuration, when the eG agent starts/restarts, it will close all existing sessions for this user (including sessions you may have opened using the Virtual Infrastructure client). Hence, in this case, you may notice that your VI client sessions are terminated when the eG agent starts/restarts.

Given below are the steps to be followed for creating a separate user account with the View and stop sessions privilege:

  1. Login to a system on which the VMware Infrastructure Client is installed.
  2. Double-click on the VMware Infrastructure Client icon on your desktop.
  3. Figure 1 then appears. To connect to the vCenter, select the IP address / Name of the vCenter, and then provide the login information. To grant access permissions to a user, you will have to login to vCenter as a user with rights to grant permissions to other users. Therefore, provide the User name and Password of such a user in Figure 1.

    Figure 1 : Connecting to vCenter

  4. When the Virtual Infrastructure Client opens, click on the Administration icon indicated by .

    Figure 2 : Clicking on the Administration icon

  5. The Roles tab page opens by default, revealing the roles that pre-exist on vCenter (see Figure 3).

    Figure 3 : Viewing the roles available on the vCenter

  6. To create a special role, right-click anywhere within Figure 3, and select Add from the shortcut menu that appears (see ).

    Figure 4 : Selecting Add from the shortcut menu

  7. Figure 5 then appears wherein you need to Enter Name of the new role. Since the role requires the privilege to view and terminate user sessions on vCenter, expand the Sessions node in Figure 5, and select the View and Terminate Sessions check box under it.

    Figure 5 : Creating a new role on a vCenter server (prior to v 4.1) with the ‘View and Terminate Sessions’ privilege

    Figure 6 : Creating a new role on vCenter 4.1 (and above) with the ‘View and stop sessions’ privilege

  8. Then, click the ok button in Figure 6 to save the changes.
  9. Figure 7 then appears listing the newly created role.  Once the role is created, proceed to assign the role to a local/domain user to vCenter. The first step towards achieving this is to click on the Inventory icon indicated by Figure 7.

    Figure 7 : The Roles tab page listing the newly created role

  10. Figure 8 then appears. In the left panel of Figure 8, you will find a tree-structure consisting of a wide range of nodes and sub-nodes. Click on the Hosts & Clusters node. Clicking on this node reveals a series of tab pages in the right pane. To assign permissions to a user for accessing vCenter, click on the Permissions tab in the right pane.

    Figure 8 : Details of users to vCenter

  11. When the Permissions tab page opens, right-click anywhere within the tab page, and pick the Add Permission option from the shortcut menu that appears (see Figure 8). Figure 9 then opens. From the list box in the Assigned Role section of Figure 9, select the newly created role.

    Figure 9 : Selecting the Add Permission option

  12. Since no users have been assigned this role yet, the Users and Groups section of Figure 9 will appear empty. To map this role to a user, click the Add button in Figure 9.
  13. Figure 10 that then appears allows you to select a local/domain user. If you want to grant a local user the right to View and stop sessions, just select <servers> from the Domain list. All valid users to the Windows system hosting the vCenter will then be listed in the Users and Groups section in Figure 10. Select one from this list (see Figure 10). To grant the same privilege to a domain user, select the domain from the Domain list, and then select a domain user from the Users and Groups section (not shown in Figure 10).

    Figure 10 : Selecting a local user

  14. Then, click the Add button in Figure 10. The chosen user will then be added to the Users box as depicted by Figure 11.

    Figure 11 : Adding the chosen user

  15. Next, click the ok button in Figure 11. then appears displaying the local/domain user that you added previously, in the Users and Groups section.

    Figure 12 : Assigning the Read-Only role to a chosen user

  16. Finally, click the ok button.