If you have separation of duties in your environment, which you probably should, you may find yourself in need of delegating access to perform certain tasks and functions from time to time. That is the basis for this post. I recently was asked if it were possible to delegate administrative tasks in VMware HCX to users who don’t have any type of access to vCenter, or any of the VMware infrastructure at that! The reason is this small team was to assist with migrations from one data center to another by via HCX, but they did not want them to be able to have any type of access to the vCenter appliances. The answer is yes you can delegate HCX administrative functions. Before we get into how, I do want to put emphasis on the word “administrative”. This means that they can migrate, as well as create, modify, remove service mesh and site pairings, and extend/un-extend networks.
First, for show and tell I want to display the fact that I am not able to log in with the username provided. Notice the error clearly states ‘Access is denied’.
To get started, we’ll need to the HCX VAMI page whose port differs from the traditional 5480 of vCenter and a lot of the other VMware appliances. You’ll need to connect to – https://[fqdn.of.your.HCX.Manager]:9443 and log in with the built-in ‘admin’ credentials.
Once authorized, proceed to the ‘Configuration’ tab, then click ‘HCX Role Mapping’ on the left. If you notice, by default the SSO Administrators group of the connected vCenter Server (found at ‘Configuration’ > ‘vCenter Server’) is added here. This means if you’re in the this group directly or via group nesting not only do you have full access in vCenter, but also in HCX. This may be something that you do (or don’t) want to change. It really depends on your organization’s need. I personally would rip this out and place a dedicated group for HCX there, even if it contained the exact same members as the groups used for vCenters, etc. In this particular case, the same team that manages vSphere also maintains HCX so they were okay with this settings.
If you need to add more groups, it is a comma separated value field so just click ‘Edit’ and type in a comma followed by the group name in a domain\group name syntax, e.g., dirmann.tech\hcx-administrators. Once you’re done, click ‘Save’ and you’re good to go! Only thing left to do is test.
As you can see, using the same username as before we are able to log in to HCX’s management interface without having to go through vCenter and we are able to execute the same set of tasks.
Thanks for reading. I hope you enjoyed this quick tip!
Paul Dirmann (vExpert PRO*, vExpert***, VCIX-DCV, VCAP-DCV Design, VCAP-DCV Deploy, VCP-DCV, VCA-DBT, C|EH, MCSA, MCTS, MCP, CIOS, Network+, A+) is the owner and current Lead Consultant at Dirmann Technology Consultants. A technology evangelist, Dirmann has held both leadership positions, as well as technical ones architecting and engineering solutions for multiple multi-million dollar enterprises. While knowledgeable in the majority of the facets involved in the information technology realm, Dirmann honed his expertise in VMware’s line of solutions with a primary focus in hyper-converged infrastructure (HCI) and software-defined data centers (SDDC), server infrastructure, and automation. Read more about Paul Dirmann here, or visit his LinkedIn profile.