Tried this and now users can see the cluster information - host, DRS, Task & events.

In a hosting environment this is not good. I'll log a support call for a fix or work around

This post went of line so to clarify what was discussed I will post the action items.

Clone the readonly role and enable the Virtual Machine->Interaction->Device Connection permission.

Create a group either AD or local with an AD group in it and assign this Group+Role to the Hosts and Cluster level without propagation.

This assignment itself will not grant any visibilty to VM's hosts or clusters because it is not propagated.

I have tested it.

Thanks Mike,

Just tested the setup and tested with a user who is a member of that domain group.

At the root of the cluster I can see all the TABs. Remove the group from the Cluster Root permissions and the view changes to "Your do not have permission to access this object"

With the above settings, still getting "Permission to perform this operation was denied" when the user has "Virtual Machine Power User" rights to the VM.

Still waiting on VMware support.

In addition to the what I suggested for the original post an AD group was already created and applied at the Cluster level granting the group a cloned Virtual Machine User role with the connect perm added. This permission was propagated at that level. I would not use builtin groups as they can be trouble in some cases.

Just got an update from VM suppport

Cause:

This error was being raised due to a dynamic privileges checking code.

Solution:

The code has been rectified, and this issue does not exist in VirtualCenter

2.5 Update 1.

Currently engineering is working on this update.with no ETA as of now.

Yeah, well that's dandy of support to /say/ that but I don't believe it for a moment. I just upgraded to 2.5U1 (84767) and am still sorting through problems that have developed in my previous permission settings in 2.0.1. I have 3 datacenters, 6 clusters spread amongst them, and pretty serious folder structure in the VM view. I grant selective read-only, user, VM admin, and cloning permissions based on groups to different parts of the folder structure and clusters.

The big headache came when I found that folks with user perms were getting spurious "permission denied" messages even though their actual operations were completing fine. Through observation, we figured out that the error was related to the ESX host name not showing up in the "Host" column or in the title bar of console windows. So I granted DC browser privileges to the ESX hosts and viola! But I'm sure there must be a better way.

I just wish there was some actual freakin' documentation of how they've adjusted the permissions model. The documentation in the admin guide is a real joke because it fails to illuminate the task permission requirements on different parts of the object model. Even the information I got for VC 1.x and 2.0.x came from the community... so has someone actually sorted this out yet? I'm muddling through for the moment, but it's especially frustrating.

I'll find out this weekend if SP1 fixes the Cdrom mount permission errors. I have been putting it off, waiting for some community feedback on SP1. From what you are saying the permissions are still not 100% fixed

richard