VMware Cloud Community
fajarpri
Enthusiast
Enthusiast
‎11-26-2009 09:03 PM
Jump to solution

Bug in role?

Hi all,

I create a user group "labuser" and assign it "Virtual Machine Power User (example)".

So, create a user1 as labuser member. When I try to create a VM it's denied as "Need to assign Allocate Resource to VM", so I did.

After that, user1 can create VM no problem, however it goes too smoothly. I notice as user1, I can act as if I'm administrator. I can edit Roles. Eventhough I shouldn't have the permission (it's untick). I'm suspecting if it's a bug. Pls let me know if you need more info.

Tags (2)
0 Kudos
1 Solution

Accepted Solutions
purduecjs
Enthusiast
Enthusiast
‎11-30-2009 08:09 PM
Jump to solution

No, I've tried this again with the same result - my user cannot add/edit/remove roles nor add/remove permissions to any objects. I added the "Virtual Machine Power User (sample)" role to an ESX4 host which resides in a cluster, in a datacenter, running on a vCenter 4 instance.

I don't believe that this is triggered by logging into vcenter with two different usernames.

So you are running vcenter on windows xp and you are also launching the vc client on the same machine? Can you also list the local groups that userX belongs to?

Cameron J. Smith

System Administrator, Purdue University

-- Cameron

View solution in original post

0 Kudos
8 Replies
Texiwill
Leadership
Leadership
‎11-30-2009 12:58 PM
Jump to solution

Hello,

Are you trying to set this on the Host or via vCenter. Also is the labuser part of any groups such as Administrator.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
fajarpri
Enthusiast
Enthusiast
‎11-30-2009 03:46 PM
Jump to solution

Hi Edward,

I set it from VC. So the story is:

I create a group "userlab" on the XP where VC hosted. Then I create user such as user1, user2 as member of userlab group. No, they are not member of administrators.

Then in VC I give permission to userlab group with Virtual Machine Power User (example).

One thing that is most visible to me that is strange/buggy is that, as user1, I can change my role (permission) (thus user1 can elevate his permission as administrator). Whereas in the VM Power User (example) role that is clearly unassigned.

What do you think?

0 Kudos
purduecjs
Enthusiast
Enthusiast
‎11-30-2009 05:06 PM
Jump to solution

To which object are you assigning the role "Virtual Machine Power User (example)"?

I was not able to replicate this problem. Is this a clean install or do you have other permissions assigned that might be taking precedence?

Cameron J. Smith

System Administrator, Purdue University

-- Cameron
fajarpri
Enthusiast
Enthusiast
‎11-30-2009 07:58 PM
Jump to solution

Really you don't have this problem? It's a very clean install. Fresh XP, ESXi4.0. Only two roles now: Administrator and VM Power User (example).

I assign the permission to the Host.

Could the bug is triggered by I'm logging at the same time to the VC as administrator from the same XP? But then, when I suspect this, I reboot the XP (VC Server), the problem persists. Too bad I don't compare the permission when I haven't done the double login.

What do you think?

0 Kudos
purduecjs
Enthusiast
Enthusiast
‎11-30-2009 08:09 PM
Jump to solution

No, I've tried this again with the same result - my user cannot add/edit/remove roles nor add/remove permissions to any objects. I added the "Virtual Machine Power User (sample)" role to an ESX4 host which resides in a cluster, in a datacenter, running on a vCenter 4 instance.

I don't believe that this is triggered by logging into vcenter with two different usernames.

So you are running vcenter on windows xp and you are also launching the vc client on the same machine? Can you also list the local groups that userX belongs to?

Cameron J. Smith

System Administrator, Purdue University

-- Cameron
0 Kudos
fajarpri
Enthusiast
Enthusiast
‎11-30-2009 08:26 PM
Jump to solution

Yes, I run the vsphere client from the XP where VC is installed. So on vSphere client I put "localhost" as the destination.

Upsss.. thanks for asking me to check the membership of user1.

user1 is the first user in the XP, no wonder it has administrators membership. Arrggghhhh silly me.

I test with another user and the permission is correct now.

Thank you so much for pointing me this.

0 Kudos
purduecjs
Enthusiast
Enthusiast
‎11-30-2009 08:28 PM
Jump to solution

Excellent, glad I could help!

Cameron J. Smith

System Administrator, Purdue University

-- Cameron
fajarpri
Enthusiast
Enthusiast
‎11-30-2009 08:37 PM
Jump to solution

I used to work in Educational Institution too. Ping me if you plan to visit Singapore! Smiley Happy

0 Kudos