The vCenter Server administrative users must have the correct roles assigned.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-39550	VCENTER-000012	SV-51408r1_rule		Medium

Description
Administrative users must only be assigned privileges they require. Least Privilege requires that these privileges must only be assigned if needed, to reduce risk of confidentiality, availability or integrity loss.

STIG	Date
VMware vCenter Server Version 5 Security Technical Implementation Guide	2016-02-10

Details

Check Text ( C-46775r2_chk )
Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users: Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator. Go to "Home>> Administration>> Roles" and verify that a role exists for each of the administrator privilege sets the organization requires and allows. Right click on each Role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected. If the organization does not require roles for administrator privilege sets, this is a finding. If a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.

Check Text ( C-46775r2_chk )

Check that roles are created in vCenter with the required granularity of privilege for the organization's administrator types, and that these roles are assigned to the correct, site-specific users:
Log into the vCenter Server System using the vSphere Client as a vCenter Server System Administrator.
Go to "Home>> Administration>> Roles" and verify that a role exists for each of the administrator privilege sets the organization requires and allows.
Right click on each Role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.

If the organization does not require roles for administrator privilege sets, this is a finding.

If a role does not exist for each of the organization-required, administrator privilege sets, this is a finding.

Fix Text (F-44563r2_fix)
Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client. Go to "Home>> Administration>> Roles" and create a role for each of the administrator privilege sets the organization requires and allows. Right click on each role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.

Fix Text (F-44563r2_fix)

Create roles in vCenter with the required granularity of privilege for the organization's administrator types, and ensure that these roles are assigned to the correct, site-specific users. As a vCenter Server administrator, log into the vCenter Server with the vSphere Client.
Go to "Home>> Administration>> Roles" and create a role for each of the administrator privilege sets the organization requires and allows.
Right click on each role name and select "Edit". Verify under "All Privileges>> Virtual Machines" that only site-specific, required checkboxes are selected.