Solved: Users and permissions

MariusRoma · ‎10-26-2012

We try to allow some users perform administrative tasks (i.e. cloning VMs) on the VMs included in a given folder.

We create a role by cloning the "Administrator" role (that means, all available rignts), we select a folder and try to assign to a given user (let's say JDoe) the cloned role over the folder and to the objects inside the folder.

Based on our tests the user JDoe is still unable to perform all the operation we should expect inside the VMs included in the folder.

For example, he is unable to clone a VM inside the folder.

Somebody says we should make JDoe administrator of the Windows host that acts as vCenter: is it correct?

Where can we locate detailed documentation about the right way to provide elevated user rights to users over a limited part of a vSphere infrastructure?

In other words, how can we make a user, let's say JDoe, administrator but only on a limited substet of out vSphere infrastructure?

Can anybody please help?

Regards

marius

jrmunday · ‎10-29-2012

Hi Marius,

I did a quick test, and the minimum required was as follows (role permissioned at the DC level);

Datastore --> Allocate Space

Network --> Assign Network

Resource --> Assign virtual machine to resource pool

Virtual Machine --> Provisioning --> Clone Virtual Machine

This obviously does what it says on the tin ... you can clone a VM and nothing else. Once you have cloned the VM you don't have any rights to make changes (ie. Edit settings, Power On, etc.).

Perhaps you could create this minimum role at the DC level, and another role granting the additional VM configuration rights at the "Rome Branch" folder.

Cheers,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

View solution in original post

jrmunday · ‎10-26-2012

You need to ensure that the role you have created has the required permissions on all affected objects (ie. Hosts, resource pools, storage, networks, etc.). If you only permission the role on a specific folder then you wont have access to the other objects and will not be able to complete the "clone Virtual Machine" wizard.

As a simple test, permission your role agains the datacenter instead of the folder and you should have access to the required hosts etc. to complete the clone. Obviously ensure that you are only granting the required permissions by testing extensively.

Cheers,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

MariusRoma · ‎10-29-2012

Thank you for your message.

I realize that assigning rights over a folder is not enough, but assigning rights at the datacenter level is what I want to avoid if not strictly necessary.

Is there any documentation about the minimum rights at datacenter level required to perform given actions at folder level?

In other words, what is the minimum right I should assign at datacenter level to allow user JohnDoe clone a VM inside the folder "Rome Branch"?

Regards

marius

jrmunday · ‎10-29-2012

Hi Marius,

I did a quick test, and the minimum required was as follows (role permissioned at the DC level);

Datastore --> Allocate Space

Network --> Assign Network

Resource --> Assign virtual machine to resource pool

Virtual Machine --> Provisioning --> Clone Virtual Machine

This obviously does what it says on the tin ... you can clone a VM and nothing else. Once you have cloned the VM you don't have any rights to make changes (ie. Edit settings, Power On, etc.).

Perhaps you could create this minimum role at the DC level, and another role granting the additional VM configuration rights at the "Rome Branch" folder.

Cheers,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

MariusRoma · ‎10-29-2012

Great!

It works, but I had to assign the "No Access" permission to my user JDoe on all the folders I don't want to allow him browsing.

Many, many thanks

marius