Understanding VMware Horizon Roles and Permissions

You have everything configured according your customer wanted, you are with you project manager and technical leader into cutover date and everything is running smoothly and efficiently. But, before starting you day 2 operations, you need to create and define roles and permissions in order to coordinate with the customer which person needs to have access to VMware Horizon and whose permission should be set.

Understanding this point is important and it’s a topic covered into VMware vCAP DTM exam, if you’re looking for achieve this badge.

The following link you can see predefined administrator roles created by default into VMware Horizon
https://docs.vmware.com/en/VMware-Horizon-7/7.9/horizon-administration/GUID-ADC0577C-C1EF-485D-814B-43DF17D5F2C4.html

I start creating some custom Roles and applying some in order to better understand how each role give my user access and clearly understand how to work with them. Let’s check it:

Console Interaction

• Can log into View Administrator

Note: Cannot be applied to an Access Group

You have access into VMware Horizon Console without full access.

Direct Interaction

• Can run all command line utilities and PowerShell commands

Note: Cannot be applied to an Access Group

You are not allowed to access VMware Horizon console but, you can use all VMware Horizon PowerCli Modules if you want to.

Enable Farms and Desktops Pools

• Enable and Disable farms and desktop pools

Note: Can be applied to an Access Group

You can only enable and disable farms and desktop part of the console with this permission.

Entitle Desktop and Application Pools

• Add and remove desktop and application pool entitlements

Note: Can be applied to an Access Group

This permission allows you only to add or remove entitlements from desktop and application pools.

Manage vCenter

• Read only access to vCenter Configuration

Note: Can be applied to an Access Group

With Access

When you have Manage vCenter permission, you can see vCenter information from farms or desktop pools related to the desktop / server you are looking at. See example below:

No Access

When you don’t have this permission, you are not allowed to check or see those information from Horizon Console:

Manage Composer Desktop Pool Image

• Recompose, refresh, rebalance, and change default image for a desktop pool

Note: Can be applied to an Access Group

If you’re using VMware Horizon Composer, you have a tab where you can select among three options, which are Refresh, Recompose and Rebalance. If you have that permission, you can see that information into pool:

Manage Farms and Desktop and Application Pools

• Add, modify, and delete farms;
• Add, modify, delete, and entitle desktop and application pols.
• Add and remove machines

Note: Can be applied to an Access Group

When this permission is given to a group or an individual, you can see the edit information from RDSH Farm or Desktop Pool:

Manage Global Configuration and Police

• View and change global policies and view configuration settings except for administrator roles and permissions

Note: Cannot be applied to an Access Group

Global policies is allowed in order to change USB or multimedia option to all groups:

Manage Global Sessions

• Manage Global Sessions

Note: Cannot be applied to an Access Group

Global sessions allows your user to get information from events database for all sessions:

Manage Help Desk

• Read only access to Help Desk Portal

Note: Can be applied to an Access Group

VMware Horizon console gets read only access and user / group is not allowed to change any option:

Manage Machine

• Perform all machine and session-related commands.

Note: Can be applied to an Access Group

When selecting one specific desktop / server machine, you can see and change all configuration related to that specific machine:

Manage Persistence Disk

• Perform all machine and session-related commands.

Note: Can be applied to an Access Group

If you have Horizon Composer working with persistent disks, this is your permission you’re looking for. If you have that role in your user or group, you can see and change the following information:

Manage Reboot Operation

• Reset/Restart machines

Note: Can be applied to an Access Group

Simple operation allowed with this permission, but useful for first call fix in case of help desk assistance:

Manage Remote Process and Applications

• Manage remote processes and applications

Note: Can be applied to an Access Group

If you connect using https://VCSURL/newadmin, VMware Horizon New Admin Console, you can see Help Desk functions and this permission allow your user or group to get information from processes and application from selected virtual machine:

Manage Roles and Permissions

• Add, modify, and delete administrator roles and permissions

Note: Cannot be applied to an Access Group

If you have that permission, you can give other users that power too. So, use that power carefully, ok?

Manage Sessions

• Disconnect and logoff sessions

Note: Can be applied to an Access Group

With this permission, you can disconnect and logoff sessions from other users, that’s great during first call fix in help desk calls:

Register Agent

• Register non-vCenter machines such as RDS Hosts and physical PCs

Note: Cannot be applied to an Access Group

Remote Assistance

• Remote assistance to Remote Desktop

Note: Can be applied to an Access Group

Using the newadmin console, you have the option to Remote Assistence other VDI connection just using this feature and permission:

Enjoy this! It’s good to understand which role and permission you’ll give to your users. Thanks!