Section 1 – Plan, Install and Upgrade VMware ESX/ESXi
- Objective 1.3 – Secure VMware ESX/ESXi
QUESTION 71
Which of the following are not valid permissions for a Datacenter Administrator (Choose Two)?
A.Create a Resource Pool
B.Create a Virtual Machine
C.Add a Host
D.Assign Permissions to a user
Answer: BD
Explanation:
Managing VMware VirtualCenter Roles and Permissions, page 5.
Datacenter Administrator
Perform actions on global items, folders, datacenters, datastores, hosts [C above], virtual machines, resources [A above], and alarms.
Set up datacenters, but with limited ability to interact with virtual machines [B above].
This includes:
All privileges for folder, datacenter, datastore, network, resource, alarms, and scheduled task privileges groups.
Selected privileges for global items, host, and virtual machine privileges groups.
No privileges for session, performance, and permission [D above] privileges groups.
QUESTION 72
What is a valid use case for the No Access role?
A.An administrator wants to prevent a user from launching the vSphere Client
B.An administrator wants to allow only the status of an object to be viewed, but provide no other access
C.An administrator wants to allow the state and details of an object to be viewed, but provide no other access
D.An administrator wants to revoke permissions on an object that would otherwise be propagated
Answer: D
Explanation:
Mastering VMware vSphere 4, page 387.
The No Access role can be used if a user was granted access higher up in the inventory.
QUESTION 73
When assigning a user permissions on an ESX Server, which of the following objects cannot be assigned permissions (Choose all that apply)?
A.Folders
B.Hosts
C.Virtual Machines
D.Resource Pools
E.None of the other alternatives apply
Answer: E
Explanation:
All of the above objects can be assigned permissions:
QUESTION 74
When an existing role that has been assigned to users is removed from vCenter Server, which of the following can occur (Choose Two)?
A.Users or groups are automatically assigned to the next most restrictive role available
B.Users or groups that had privileges may no longer have any permissions in vCenter
C.Users or groups can be reassigned to any available role
D.Users or groups retain the removed role until they are manually assigned a new role
Answer: BC
Explanation:
See below.
QUESTION 75
Using vSphere client logged into vCenter you create a new user and assign this user Administrator privileges on an ESX Server. Which privileges will that user have on the DRS Cluster in which this ESX Server resides?
A.Administrator
B.Virtual Machine Administrator
C.No Access
D.Datacenter Administrator
Answer: C
Explanation:
When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. Since a Cluster will be above an ESX host, there will be no propagation of permissions from host to cluster. Therefore the user will have no permissions
QUESTION 76
Which pre-defined role can assign permissions to users?
A.Administrator
B.Virtual Machine Administrator
C.Virtual Machine User
D.Datacenter Administrator
Answer: A
Explanation:
vSphere Basic System Administration vCenter Server 4.0 ESX 4.0 ESXi 4.0, page 214
Table 18-1. Default Roles
Administrator – All privileges for all objects. Add, remove, and set access rights and privileges for all the vCenter Server users and all the virtual objects in the vSphere environment. This role is available in ESX/ESXi and vCenter Server
QUESTION 77
The QA department wants to manage their own virtual machines (VMs). They share an ESX Server cluster with the HR department, and the Finance department.
What is the appropriate role for the QA department members?
A.Administrator on the VM object
B.VM Administrator
C.Resource Pool Administrator
D.Datacenter Administrator
Answer: C
Explanation:
vSphere Basic System Administration vCenter Server 4.0 ESX 4.0 ESXi 4.0, page 213.
When you assign a user or group permissions, you pair the user or group with a role and associate that pairing with an inventory object. A single user might have different roles for different objects in the inventory. For example, if you have two resource pools in your inventory, Pool A and Pool B, you might assign a particular user the Virtual Machine User role on Pool A and the Read Only role on Pool B. This would allow that user to power on virtual machines in Pool A, but not those in Pool B, although the user
would still be able to view the status of the virtual machines in Pool B.
QUESTION 78
Which of the following methods can be used to secure access to iSCSI storage when using ESX server? (Choose Two.)
A.Enable CHAP authentication
B.Disable promiscuous mode for the virtual switch containing the VMkernel port used for iSCSI
C.Enable encryption on iSCSI initiator by selecting the iSCSI encrypt option
D.Place virtual machines and the VMkernel port used for iSCSI on separate virtual switches
Answer: AD
Explanation:
iSCSI SAN Configuration Guide ESX 4.0 ESXi 4.0 vCenter Server 4.0, page 37.
Because the IP networks that the iSCSI technology uses to connect to remote targets do not protect the data they transport, you must ensure security of the connection. iSCSI requires that all devices on the network implement Challenge Handshake Authentication Protocol (CHAP), which verifies the legitimacy of initiators that access targets on the network, (A).
By placing virtual machines and the VMkernel port used for iSCSI on separate virtual switches you could prevent VMs accessing the iSCSI initiator, (D).
QUESTION 79
On an ESX Server, a particular user is assigned the Administrator role. However, when that user logs into the vCenter Server, they have Read Only rights. What most likely caused this?
A.ESX Server roles do not propagate to the vCenter Server.
B.The ESX Server is not authenticating using NIS.
C.The user is logging in with a different password.
D.The vCenter Server is not a member of an Active Directory domain.
Answer: A
Explanation:
vSphere Basic System Administration vCenter Server 4.0 ESX 4.0 ESXi 4.0, page 211.
The privileges and roles assigned on an ESX/ESXi host are separate from the privileges and roles assigned on a vCenter Server system. When you manage a host using vCenter Server, only the privileges and roles assigned through the vCenter Server system are available. If you connect directly to the host using the vSphere Client, only the privileges and roles assigned directly on the host are available, (A).
QUESTION 80
On an ESX Server managed by vCenter, you create a new user and assign this user Administrator Privileges. Which privileges will that user have on the ESX Server cluster in which this server resides?
A.Cluster User
B.Administrator
C.None
D.Virtual Machine Administrator
Answer: C
Explanation:
When you assign a permission to an object, you can choose whether the permission propagates down the object hierarchy. Since a Cluster will be above an ESX host, there will be no propagation of permissions from host to cluster. Therefore the user will have no permissions
QUESTION 81
For what reason would an ESX Server administrator send an end user a remote console URL?
A.to go directly to the state of a specific virtual machine snapshot that can be resumed by the end user with a vSphere Client
B.because remote console URLs are used to delegate administrative tasks performed on the ESX service console
C.to provide a lightweight user interface to a virtual machine without a vSphere Client
D.for quick access to a specific virtual machine from the vSphere Client
Answer: C
[…] VCP-410 Q&A – Plan, Install and Upgrade VMware ESX/ESXi (71-81) […]