3.4 User Access to Virtual Machines

By itself, the Oracle VM Manager GUI is an administrator tool. The administrator accounts have full access to all the functionality and all resources managed through Oracle VM Manager. Therefore it is highly recommended that only a few accounts be handed out to the people who are responsible for configuration and day-to-day management of the environment. Administrators must also have access to the guest operating systems of the virtual machines, and for that they use the VM console from within the Oracle VM Manager GUI. However, not every user with virtual machine access needs to be an Oracle VM administrator. This would violate the security principle of least privilege. (See Section 1.2.3, “Follow the Principle of Least Privilege”.) Depending on your particular deployment of Oracle VM, you may want to grant virtual machine access in a different way.

We distinguish between three methods of virtual machine access control:

  • Oracle VM Manager console.

  • Direct remote connectivity.

  • Role-based access control with Oracle Enterprise Manager.

VM Console Access

An Oracle VM administrator can always access the guest operating system of a virtual machine via the console in Oracle VM Manager. This is the standard method to connect to a virtual machine hosted in an Oracle VM environment. If your virtual machines are servers hosting applications and services, for example, then it is likely that they are configured and maintained by system administrators. In this type of setup, end users interact with the service or application running on the server, but never log on to the virtual machine itself.

For this model it makes sense that only one or a handful of system administrators can access the virtual machine via the Oracle VM Manager console. From a security standpoint, a small number of administrator accounts is very manageable, while the Oracle VM resources remain hidden and protected from all other users.

Direct VM Access

If certain users need administrative access to virtual machines, but are not administrators of the Oracle VM environment, we recommend that you do not create additional administrator accounts for Oracle VM Manager. Instead, an Oracle VM administrator should set up the virtual machine and configure remote connectivity so that the virtual machine user can establish a connection without having to go through Oracle VM Manager. To establish direct VM access, follow the same principles and procedures as with a physical server:

  1. Install and configure the appropriate operating system on the VM. Install any mandatory additional software as well.

  2. Create the necessary user accounts and set the required privileges.

  3. Connect the VM to a network that is accessible to the VM user(s), but make sure that the management network and other networks essential for your Oracle VM environment remain protected. Assign a static IP address to the VM to facilitate remote connectivity. Never use a public IP address for administrative access; instead, use a private IP address in the internal network and force users to set up a VPN connection to the internal network first.

  4. Configure remote connectivity on the VM. For a Windows server, RDP can be used; for a Unix server you can use SSH for command line access, and VNC in case a graphical desktop environment is used.

  5. Provide login credentials, VM IP address (or DNS name) and remote access port number to the users who require remote access.


Always apply the principle of least privilege: strictly enable only the functionality that users require.

Role Based Access

Large-scale deployments of Oracle VM have different requirements when it comes to user management and access control. A combination of the two access methods described above becomes unmanageable as the number of virtual machines increases, and different categories of users need different levels of access to groups of virtualized resources. If your environment is that large and complex, you need facilities such as role-based access control and directory service integration. Oracle VM Manager cannot provide this functionality, but if you need it, you can integrate your Oracle VM environment with Oracle Enterprise Manager.

The integration with Oracle Enterprise Manager adds a number of significant management features to Oracle VM, such as:

  • Role-based access control: user groups and permission profiles.

  • LDAP/directory service integration.

  • resource assignment and ownership management.

  • Separation, isolation and protection of resource groups (VMs, networks, storage, etc.).

  • Profiles and deployment plans to create multiple VMs at once and to provision operating systems and software applications.

For a quick overview of role based access control with Oracle Enterprise Manager, see this post on Oracle's Virtualization Blog: https://blogs.oracle.com/virtualization/entry/crash_course_role_based_access.

For detailed information about integrating Oracle VM with Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation at: http://www.oracle.com/technetwork/oem/grid-control/documentation/oem-091904.html