Allow user access to one hosted VM in ESXi web page and not the admin section

markb

5/5/24, 11:30 AM

I was wondering if there was a lightweight way that we could allow a service providers access to one of our VMs through the web page but without access to the rest of the admin interface?

That is, if the the server was located on https://10.0.0.1/ui and the machine was https://10.0.0.1/ui/#/console/1 how could that access that machine alone, and stop them from trying to access /ui/ alone.

I have already created a new user, contractor, and then created a new role with only VirtualMachine access. This allows me to only see the one VM that I have assigned the privilege to - so far so good.

If I try accessing https://10.0.0.1/ui/#/console/1 directly then I am asked to log in. But if I access https://10.0.0.1/ui I can see only the VM allowed - but with extra privileges like restart, shutdown, etc.

I've noticed that only allowing VirtualMachine still auto enables System. Removing it seems to not save so I assumed it is mandatory.

We are on ESXi v7.

1 + 6

vmware-esxi

Gerald Schneider

5/5/24, 11:34 AM

What would you need to provide access for, if not for restarting/resetting the VM? Access to the VM can be done through RDP/SSH/VNC/whatever.

markb

5/5/24, 11:46 AM

Currently they access via RDP but i’ve been asked to explore them in a “sandboxed” web only method. That way they can’t transfer files in and out. I’m just the research not the implementation

Gerald Schneider

5/5/24, 11:48 AM

You can also disable the ability to transfer files via RDP.

Gerald Schneider

5/5/24, 11:49 AM

Of course, all of this is moot if the VM itself is able to access the internet. That opens up all manner of possibilities to transfer files.

eKKiM

5/5/24, 12:34 PM

If you want to give an external contract access in a controlled way, another option is using Apache Guacamole. You could even record remote sessions which can be consulted at a later time.

markb

5/5/24, 9:35 PM

@eKKiM that looks really good to implement too. I'll pass this all on but thank you

Score:1

Server

Gerald Schneider

5/5/24, 11:47 AM

You can make much finer granular permissions by clicking on the VirtualMachine entry in the edit roles dialog. Next you can click on Interact and disable the permissions you don't want, like PowerOn, PowerOff.

+ 1

markb

5/5/24, 9:34 PM

Thanks! I didn't realise there were more sub-menu options!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow user access to one hosted VM in ESXi web page and not the admin section

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.