Which leaves question #2, is VirtualCenter a separate license?

Yes VC is separate and it's another license product.

However, with VIC build 115598, and ESX 3.5 U2, you should be able to set permissions on the Host without VC.

Hello,

Use folders and set the permission on the folders then drag the VMs into the folders.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Unfortunately it does not appear we have a VirtualCenter license, so I can't go that route.

I've played around with setting permissions on the Virtual Machine folders themselves (e.g. Chmoded one of them and all the contents to 700, changed the owner to one of the userid I lok into the VI Client with).

I was kind of surprised when I was still able to access the Virtual Machine from another userid. With the permissions set like that I was expecting either no one to be able to access the VM, or only the user that owned the files for the Virtual Machine.

Perhaps I have something configured wrong? or does it really change something to drag the Virtual Machines into a folder that has the permissions set (vs. the folder for the actual Virtual Machine). I will definitely have to give it a shot and see. I'd really like something that can prevent users from being able to access all the Virtual Machines, and I know I'm not getting budget approval for VirtualCenter.

The funny thing is that this is so easy to do in Vmware Server (free). It would be kind of crazy if the ESX server could not do some things that Vmware Server could do.

Thanks for your input, I'll let you know how the testing goes.

I think Ed was referring to creating folder with in the VI Client and setting permissions there not folders on the datastore - because I believe the vmkernel will execute the vmx file with root level permission -

Hello,

Correct. I would NOT touch the data on the disk and do everything through the VIC. The VIC also has the concept of folders. However, only VC uses a delegate account. You can give perms in VIC to ESX that behave differently based on disk permissions as well.

My suggestion, do not LET anyone direct access to the VIC unless they are a fully trusted administrator. Let the users use RDP or something like that. It works out so much better.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Ok, I'm in the DataStore browser in the VIC and I've created folders. I'm not seeing a way to set permissions. Am I in the wrong spot? I've been trying to find another place to edit the folder structure within the VIC and I might just be missing it.

Thanks,

Doug Logan

"You can give perms in VIC to ESX that behave differently based on disk permissions as well." - Any pointers on where to find these settings, or the name of what this is referenced as so I can look it up in the manual?

"My suggestion, do not LET anyone direct access to the VIC unless they are a fully trusted administrator. Let the users use RDP or something like that. It works out so much better."

This is not really going to be possible. We're using the ESX server as a test bed for technicians to setup reproduction environments to replicate issues our customers are having with an installation of our software. As a result I would really like to be able to give technicians the ability to create a vmware image (which to the best of my knowledge can't be done any way besides the VIC). In addition to start/stop the server.

At the same time I would like to prevent one technicain from messing with another technician's image.

Since we're a support organization it is not easy for us to get approval for additional purchases like Virtual Center, though it does seem that would best meet our needs.

I am certainly open to suggestions on the best way to accomplish this goal.

Ok, I seem to found a reference to the interface Textwill mentiones. It is part of the MUI of ESX 2.5 . Since I am on lovely ESX 3.5, this interface does not seem to exist and instead of the indepth File Manager, I get a very limited Datastore browser.

Why is VmWare taking away functionality from the ESX server?

I am quite irritated at this time. I have spent hours trying to do something that would have taking me minutes to accomplish on the free product. If we hadn't paid for the ESX server I would be tempted to format the box and just install the free product.

Why does ESX 3.5 not appear to respect the file permissions like every other version of Vmware I have ever worked with?

I'm not even asking for a freaking GUI tool to accomplish this. I just want some way to limit it so that USERA can only shutdown and startup VmwareA and USERB can only shutdown and startup VmwareB.

Hello,

Actually, I was referring to doing things at the console level NOT at the VIC/VC or any other level. However, here is your issues.

1) VIC to ESX anything you do here actually happens as the vpxuser. You have to setup permissions for users at this level by editing the /etc/vmware/hostd/authorizations.xml file properly.

2) If you have VC it is much better that you use this instead as you do not have to modify files directly.

3) You have to setup a ROLE that limits access to given VMs to given people specifically to allow power on/off and deploy from template. I would not 'allow from create'

4) You are trying to use only the VIC to ESX and not the hybrid edits you are required to do.

5) There needs to be some level of trust within your organization that if the VM is booted, that it not be messed with without checking around. I was part of an organization that used VMs in this manner and any changes required a once around to make sure no one needed the VM.

THe granularity you want to implement exists if you use VC or modify authorizations.xml properly

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Textiwill,

Thanks for the explanation. It appears that editing that file would accomplish what I wanted to do. I ended up finding an even simplier solution.

Before I got your response I opened a ticket with Vmware. At first the tech told me that the only way to do what I wanted to do was get Virtual Center. Since I found documentation to suggest that this functionality was in ESX 2.5, and it seemed weird to remove a function, I followed up further.

They ended up telling me that the latest version of the VIC added the ability back to set permissions on the individual vmware level (it even allows setting it on the Resource Pool level, which is really cool). Apparently the latest version of the VIC is not available by downloading the VIC by itself. You have to request a demo copy of VirtualCenter and download and install the VIC that is bundled with VirtualCenter.

The VIC is in the following file path:

ZIP_FILE\vpx\VMware-viclient.exe

For Reference:

VIC Version 2.5.0 Build 119598

ESX Version 3.4.0 Build 110268

The technician was concerned on my patch level with the ESX server as well, so I believe this might only work with a certain patch level of ESX. This is why I included the build version for ESX.