Hey,
thank you in advance to everyone who has the patience to read all this, but I think it is necessary to understand the scenario.
We have a problem with our vSphere 6.0 U2 environment concerning the permissions that are necessary to be able to clone a vm to a template and create a vm from a template. Maybe we have a special usage scenario that is not so common, but what we do worked out with vSphere 5.5 that we were using untill some weeks ago.
We are a small datacenter with several departments. Every department has its own ressource pool in our vSphere cluster. Within their ressource pools users (departments) are able to use all typical vSphere featuers like create/delete virtual machines, do snapshot and create templates from vm and vice versa directly by using vSphere Client. To be able to do that every department has been assigned permissions to ressource pools, datastores, vm-folders and port groups. In that configuration every user has the maximum functionality, but is still seperated from other users and we are able to control resource usage by configuring shares and limits on departments resource pools. As I said, it all worked fine with vSphere 5.5.
To clone to a template you need the following privileges:
Taken from here, page 38: https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-virtua...
The privilege to assign a virtual machine to a resource pool is provided on a resource pool level in our environment and not on host or cluster level, but that should be fine according to the document (it says "or"). Anyhow, when you try to clone a vm to template with privileges like that, you get an error that "read only" permissions on cluster level are needed. When you add that permissions and try again, there is another error that privileges to "Assign virtual machine to resource pool" are needed on cluster level. When you add that permissions cloning finally works, but the security policy of our environment is no longer intact. With permissions like that any user is displayed any ressources (i.e. any vm in any resource pool). Moreover users are now able to migrate virtual machines between resource pool and by that gain full access to any vm when they move it to their own ressource pool.
We are looking for anybody who can confirm the issue in another environment and of course for a workaround or any idea that would help us provide the functionality to our users like it was in 5.5. Thank you for any input.
Simple solution:
When you assign the additional permissions at the Cluster and Datacenter level, simple un-check "propagate" to keep your security intact. I wrote it up here: Cloud permissions for VMware vSphere (Roles, Privileges and Permissions) - JohnBorhek.com
Thank You! That is a good hint. Indeed when you configure it that way, users cannot see every resource pool and vm. That is way better. :smileycool:
There is one problem left. When we give the privilege "Assign virtual machine to resource pool" to users on cluster level, even if propagate is un-checked and users therefor cannot move machines in each others resource pools, they are still able to move machines directly to the cluster resource pool. They would be able to bypass the resource restrictions we set on their resource pools.
Am I still missing out on something? Is there another trick that will do it?
I did some more research. To move a vm to resource pool you need the following privileges:
On the virtual machine or folder of virtual machines:
On the destination resource pool:
Our users already have the privilege "Assign virtual machine to resource pool" on their own machines, because they are able to move machines between a productivity and a test resource pool of the department. Therefore they are now able to move machines to the cluster resource pool after giving the privileg on cluster level.