VMware Cloud Community
Schaedle
Enthusiast
Enthusiast
‎01-18-2016 02:04 AM

vCenter 6 and restricted user roles - it works with vSphere Client but NOT with WebClient

Hi,

I have a strange behavior. I setup the vCenter Appliance 6.0.0.10200. It runs pretty fine. Now I started setting up roles as I had them in my old 5.5 environment.

I have a role which one only allows interactions with some VMs. This role is assigned to a folder. When I now use the vSphere Client I see this VMs and I'm able to start, stop them and to open the remote console.

But now when I will do the same with the WebClient it doesn't work. I'm only able to see the VMs when I use on the Home Screen the Icon vCenter Inventory Lists. It also works when I use the search function. But now when I want to power up a VM I get the following error: The "Power on virtual machine" operation failed for the entity with the following error message. Virtual machine cannot be found.

Is there a difference regarding the rights between the vSphere Client and the WebClient ?!

In my old environment I only setup rights on a folder and then the assigned user was able to browse down the tree to this folder. Is this a different behavior between 5.5 and 6.0 ?

Regards Wolfgang

0 Kudos
3 Replies
schepp
Leadership
Leadership
‎01-18-2016 02:14 AM

Hi Wolfgang,

I've seen this problem in the webclient as well. When I assign some basic user permissions on folder or VM level, The user can't power on a VM, because he might be missing some permissions to browse the datastore and the permission to use host-ressources.

It's not only 6.0 problem though, I experienced it in 5.5 as well.

I used a workaround to distrubute some read only permissions on some objects.

Maybe someone has a better solution, as my permissions are a bit messy with these workarounds.

Tim

0 Kudos
Schaedle
Enthusiast
Enthusiast
‎01-18-2016 03:47 AM

Hi Tim,

in 5.5 the behavior is a bit different e.g. you are able to use the console (unfortunately not the VMRC). And you see the VMs under Hosts and Clusters. I am able to stop or restart a VM. Powering up seems also not to work.

Because I don't want to mess up my rights I hoped to get help here. But "good" to know that I'm not alone Smiley Wink

Thanks Wolfgang

0 Kudos
Schaedle
Enthusiast
Enthusiast
‎01-26-2016 06:23 AM

I contacted VMware Service they explained the reason of the behavior.

It has to do with the connection. If I connect via the classic client then I have a direct connection to the vCenter and so it works pretty fine. If I connect through the WebClient then the PSC is used and so that is be the reason. That's what I understood.

The only way is the old solution to give these users/groups read-only rights on the top and on all passed knots in the tree. It's sufficient to give these rights with no inheritance. The best is to do this on the folder view.

But the situation is still bad and the support did not answer my following problem. Now theses users are able to see the permissions, alarms,.... on the folders where they have read-only rights. I don't like this.

Also there is no solution to use the VMRC because in that case the user needs access rights for the host itself. That's once again too much and don't want to set these rights.

Sadly, that the WebClient is not a new feature and it still has these "problems".

Regards Wolfgang

0 Kudos