Download VMware Certified Professional 6 - Data Center Virtualization.2V0-621.PracticeTest.2017-08-23.186q.tqb

When you add a custom role and do not assign any privileges to it, the role is created as a Read Only role with three system-defined privileges: System.Anonymous, System.View, and System.Read. Reference:https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc_50%2FGUID-5ACE7CFA-75EC-4EF3-95E7-19962D76225E.html

If an object inherits permissions from two parent objects, the permissions on one object are added to the permissions on the other object. For example, if a virtual machine is in a virtual machine folder and also belongs to a resource pool, that virtual machine inherits all permission settings from both the virtual machine folder and the resource pool. Reference:https://pubs.vmware.com/vsphere-55/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-72EE3449-79FD-4E7A-B164-26904958540F.html

Reference:http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.dcadmin.doc_41/vsp_dc_admin_guide/managing_users_groups_roles_and_permissions/c_hierarchical_inheritance_of_permissions.html

The primary way of authorizing a user or group in vSphere is the vCenter Server permissions. Depending on the task you want to perform, you might require other authorization. vSphere 6.0 and later allows privileged users to give other users permissions to perform tasks in the following ways. These approaches are, for the most part, mutually exclusive; however, you can assign use global permissions to authorize certain users for all solution, and local vCenter Server permissions to authorize other users for individual vCenter Server systems. vCenter Server Permissions The permission model for vCenter Server systems relies on assigning permissions to objects in the object hierarchy of that vCenter Server. Each permission gives one user or group a set of privileges, that is, a role for a selected object. For example, you can select an ESXi host and assign a role to a group of users to give those users the corresponding privileges on that host. Global Permissions Global permissions are applied to a global root object that spans solutions. For example, if both vCenter Server and vCenter Orchestrator are installed, you can give permissions to all objects in both object hierarchies using global permissions. Global permissions are replicated across the vsphere.local domain. Global permissions do not provide authorization for services managed through vsphere.local groups. See Global Permissions. Group Membership in vsphere.local Groups The user [email protected] can perform tasks that are associated with services included with the PlatformServices Controller. In addition, members of a vsphere.local group can perform the corresponding task. For example, you can perform license management if you are a member of the LicenseService.Administrators group. See Groups in the vsphere.local Domain. ESXi Local Host Permissions If you are managing a standalone ESXi host that is not managed by a vCenterServer system, you can assign one of the predefined roles to users. See the vSphere Administration with the vSphere Client documentation. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-74F53189-EF41-4AC1-A78E-D25621855800.html

Answer must be B,C,D To manage permissions from the vSphere Web Client, you need to understand the following concepts:Permissions Each object in the vCenter Server object hierarchy has associated permissions. Each permission specifies for one group or user which privileges that group or user has on the object. Users and Groups On vCenter Server systems, you can assign privileges only to authenticated users or groups of authenticated users. Users are authenticated through vCenter Single Sign-On. The users and groups must be defined in the identity source that vCenter Single Sign-On is using to authenticate. Define users and groups using the tools in your identity source, for example, Active Directory. Roles Roles allow you to assign permissions on an object based on a typical set of tasks that users perform. Default roles, such as Administrator, are predefined on vCenter Server and cannot be changed. Other roles, such as Resource Pool Administrator, are predefined sample roles. You can create custom roles either from scratch or by cloning and modifying sample roles. Privileges Privileges are fine-grained access controls. You can group those privileges into roles, that you can then map to users or groups. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-3B78EEB3-23E2-4CEB-9FBD-E432B606011A.html

SolutionUsers Solution usersgroup vCenter services. Each solution user authenticates individually to vCenter Single Sign-On with a certificate. By default, VMCA provisions solution users with certificates. Do not add members to this group explicitly. Administrators Administrators of the VMware Directory Service (vmdir). Members of this group can perform vCenter Single Sign-On administration tasks. Adding members to this group is not usually recommended. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-87DA2F34-DCC9-4DAB-8900-1BA35837D07E.html

Global Permissions Global permissions are applied to a global root object that spans solutions, for example, both vCenter Server and vCenter Orchestrator. Use global permissions to give a user or group privileges for all objects in all object hierarchies. Each solution has a root object in its own object hierarchy. The global root object acts as a parent object to each solution object. You can assign global permissions to users or groups, and decide on the role for each user or group. The role determines the set of privileges. You can assign a predefined role or create custom roles. See Using Roles to Assign Privileges. It is important to distinguish between vCenter Server permissions and global permissions. vCenter Serverper missions In most cases, you apply a permission to a vCenter Server inventory object such as an ESXi host or a virtual machine. When you do, you specify that a user or group has a set of privileges, called a role, on the object. Global permissions Global permissions give a user or group privileges to view or manage all objects in each of the inventory hierarchies in your deployment. If you assigna global and do not select Propagate, the users or groups associated with this permission do not have access to the objects in the hierarchy. They only have access to some global functionality such as creating roles. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-C7702E31-1623-4189-89CB-E1136AA27972.html

The dir-cli utility allows you to create and update solution users, create other user accounts, and manage certificates and passwords in vmdir. ( link: to see vmdircommands-- https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-4FBEA58E-9492-409B- B584-C18477F041D8.html)

Network Consumer Sample A set of privileges to allow the user to assign virtual machines or hosts to networks,if the appropriate permissions for the assignment are also granted on the virtual machines or hosts. Usually granted on a network or folder of networks.Available on vCenter Server. Virtual Machine User Sample A set of privileges to allow the user to interact with a virtual machine's console, insert media, and perform power operations. Does not grant privileges to make virtual hardware changes to the virtual machine. Privileges granted include:All privileges for the scheduled tasks privileges group. Selected privileges for the global items and virtual machine privileges groups. No privileges for the folder, datacenter, datastore, network, host, resource, alarms, sessions, performance, and permissions privileges groups. Usually granted on a folder that contains virtual machines or on individual virtual machines. Available on vCenter Server. Reference:http://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.dcadmin.doc_41/vsp_dc_admin_guide/managing_users_groups_roles_and_permissions/r_default_roles_for_esx_esxi_and_vcenter_server.html

Use VMCA as an Intermediate Certificate Authority You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain.Going forward, all certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates. This approach combines the security of third-party CA-signed certificate with the convenience of automated certificate management. Procedure Replace the Root Certificate (Intermediate CA) The first step in replacing the VMCA certificates with custom certificates is generating a CSR and adding the certificate that is returned to VMCA as a root certificate. Replace Machine SSL Certificates (Intermediate CA) After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates. Replace Solution User Certificates (Intermediate CA) After you replace the machine SSL certificates, you can replace the solution user certificates. Replace the VMware Directory Service Certificate If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment, you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services. Replace the VMware Directory Service Certificate in Mixed Mode Environments During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter Single Sign-On service is running. Reference:https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-5FE583A2-3737-4B62-A905-5BB38D479AE0.html