Question

A User Needs Multiple Types of Access to PC Controlled Cluster

  • 9 June 2022
  • 6 replies
  • 58 views

Badge

As an example, I have a set of users, all of which need full view access (no console).  However, a subset of those users need console access to a subset of VMs.  I”m not sure how this might be implemented.  We are running 5.20.2.01.  I’m not quite sure how to implement.


6 replies

Userlevel 3
Badge +3

Hello!

Please check my article. I hope it can answer some of your questions. It’s in Russian, but you can find google translate button in the bottom corner: User access control in Nutanix Prism Central

I think you need two roles, one with VM console access and one without it. And spread your users across both groups as required.

Badge

Many thanks for the information.  It was very helpful. 

I’m still struggling a bit with this scenario.

I have 4 users: A, B. C, D.  All of them need full read access to just about everything.

However A, B need console access to  a subset of consoles.  I guess I would need to roles: on for A,B and one for C,D?  I may have been over thinking this.

Badge

So A,B need read access to everything including VMs in addition to console access to only a subset of VMs..  C and D only need read access.  I’m trying to figure how how A and B can get console access to the vms then need but still “see” the other VMs.

Userlevel 1
Badge +2

Hi there,

Sorry I know this is an older post, wondering if you'd progressed this?

We recently had a similar requirement for pretty much everyone to have read only access and then 'groups' who needed more access to separate VMs.

We ended up using a combination:

  1. Having non admin accounts added in rbac as prism viewer role so folks would log in with those (daily driver account) to have read only 
  2. Custom role created that handled the VM permissions needed. This was then assigned to the Security group that contains the 'admin' account identity for the admin folks.

This let us have read only for pretty much everyone in IT but then to have unique group & resource (VM) assignments too.

Sadly this is where Nutanix needs to hugely improve RBAC, so much disconnection between roles, projects, and mappings.

We found that even some individual permissions obtained from API don't work unless the user is a super admin which is somewhat useless.

​​​​​​Hope you found something workable for your use case.

Badge

Thanks for the input.  This gives me another tool to use, but I don’t think I  can map it to the scenario I need.  I infer that you basically have two types of groups, read only and admin.

My issue is that I have a need to set up different types of access for a particular user/group.  That use may need “read only” to a large set of systems, then need console access to a smaller group, and maybe even another type of access to a smaller group.

I agree that RBAC needs a bit more maturity.

Userlevel 1
Badge +2

Hi there,

Yep our users have various accounts eg. kmount as my daily driver (this one has prism viewer access), then I have kmount-sa that is my admin account that cannot log in interactively to a desktop but can into this portal etc with the increased access to console.

I hope rbac, role mapping and projects get smashed together to create a single functioning view.

Good luck!

Reply