0

I was wondering if there was a lightweight way that we could allow a service providers access to one of our VMs through the web page but without access to the rest of the admin interface?

That is, if the the server was located on https://10.0.0.1/ui and the machine was https://10.0.0.1/ui/#/console/1 how could that access that machine alone, and stop them from trying to access /ui/ alone.

I have already created a new user, contractor, and then created a new role with only VirtualMachine access. This allows me to only see the one VM that I have assigned the privilege to - so far so good.

If I try accessing https://10.0.0.1/ui/#/console/1 directly then I am asked to log in. But if I access https://10.0.0.1/ui I can see only the VM allowed - but with extra privileges like restart, shutdown, etc.

I've noticed that only allowing VirtualMachine still auto enables System. Removing it seems to not save so I assumed it is mandatory.

We are on ESXi v7.

Improve this question
6
  • What would you need to provide access for, if not for restarting/resetting the VM? Access to the VM can be done through RDP/SSH/VNC/whatever.
    – Gerald Schneider
    May 5 at 11:34
  • Currently they access via RDP but i’ve been asked to explore them in a “sandboxed” web only method. That way they can’t transfer files in and out. I’m just the research not the implementation
    – markb
    May 5 at 11:46
  • You can also disable the ability to transfer files via RDP.
    – Gerald Schneider
    May 5 at 11:48
  • Of course, all of this is moot if the VM itself is able to access the internet. That opens up all manner of possibilities to transfer files.
    – Gerald Schneider
    May 5 at 11:49
  • If you want to give an external contract access in a controlled way, another option is using Apache Guacamole. You could even record remote sessions which can be consulted at a later time.
    – eKKiM
    May 5 at 12:34

1 Answer 1

Reset to default
1

You can make much finer granular permissions by clicking on the VirtualMachine entry in the edit roles dialog. Next you can click on Interact and disable the permissions you don't want, like PowerOn, PowerOff.

enter image description here

Improve this answer
1
  • Thanks! I didn't realise there were more sub-menu options!
    – markb
    May 5 at 21:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .