Vmware Infrastructure Roles and Permissions quest

Posted on 2009-02-17
Last Modified: 2012-06-27

My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.  

Datacenter Admin group/ Everyone Read access
       -MachineGroup1 {just a folder} / Group1
       -MachineGroup2 / Group2
       -MachineGroup3 /Group3
       -MachineGroup4 / Group4

There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access.   Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.

The way things are setup now...  the standard groups are only able to see/manage their individual groups
but not anyone else's machines.   Admins are able see all machines/full control/etc.

What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else.  I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.

Any help would be appreciated...  :)
Question by:fertigj
    LVL 7

    Expert Comment

    VirtualCenter does not depend upon Windows Administrative Privileges when defining roles.
    For example, I can create a user account with standard privileges and then create a new Role in VirtualCenter which enables the account to manage the respective area where I assign permissions.
    LVL 4

    Expert Comment

    So from reading your post, it looks like you set up roles and assigned users to the role already. Do you have each role designated to the machine groups? You wont have them at the datacenter level if you want them to only have access to their machine groups.

    How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.

    hope that helps.
    LVL 1

    Author Comment

    Datacenter  -->ReadOnly
      -->Machine Level1 (grant administator access below)
      -->Machine Level2 (grant administator access below)
       -->Machine Level3 (grant administator access below)

    There is an active directory group for MachineLevel1, 2,3  and I add the appropriate people to the proper groups.   The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.

    The machines are all part of the same resource pool...  they are separated into a number of folders {just a logical divider I know :) }    The folder level is where I place the permissions for each group.  I would like to allow people to be able to add machines at this level but nowhere else.  I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.

    LVL 4

    Expert Comment

    Do you have Virtual Machine - Inventory - Create as a privilege?

    Accepted Solution

    If your "folders" are resource pools, the problem with this, if one guy has access to make VM's all day in Machine Group1, then this will impact the resource allocation for the whole datacenter.  It is best if the god administrator is the one making the VM's and then he can adjust the resource pools accordingly.
    LVL 1

    Author Closing Comment

    Partial Answer to my problem...but worked

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    I have installed vmware Esxi 5 , it was all working fine. But one day I faced a problem when loading modules of vsphere 5 , Vmware ESxi 5 hung on loading with the message “cnic_Register Loaded Sucessfully” I read too many articles but found no ar…
    Using a software based iSCSI solution, there is no requirement to purchase an hardware iSCSI initiator or TOE (TCP/IP Offload Engine) interface card. A standard network interface card, can be used to connect and existing ESXi server to a remote iSCS…
    Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
    Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now