fertigj
asked on
Vmware Infrastructure Roles and Permissions quest
Hello..
My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.
Datacenter Admin group/ Everyone Read access
-Cluster
-MachineGroup1 {just a folder} / Group1
-Server1
-Server2
-Server3
-MachineGroup2 / Group2
-Server1
-Server2
-Server3
-MachineGroup3 /Group3
-Server1
-Server2
-Server3
-MachineGroup4 / Group4
-Server1
-Server2
-Server3
There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access. Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.
The way things are setup now... the standard groups are only able to see/manage their individual groups
but not anyone else's machines. Admins are able see all machines/full control/etc.
What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else. I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.
Any help would be appreciated... :)
My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.
Datacenter Admin group/ Everyone Read access
-Cluster
-MachineGroup1 {just a folder} / Group1
-Server1
-Server2
-Server3
-MachineGroup2 / Group2
-Server1
-Server2
-Server3
-MachineGroup3 /Group3
-Server1
-Server2
-Server3
-MachineGroup4 / Group4
-Server1
-Server2
-Server3
There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access. Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.
The way things are setup now... the standard groups are only able to see/manage their individual groups
but not anyone else's machines. Admins are able see all machines/full control/etc.
What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else. I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.
Any help would be appreciated... :)
So from reading your post, it looks like you set up roles and assigned users to the role already. Do you have each role designated to the machine groups? You wont have them at the datacenter level if you want them to only have access to their machine groups.
How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.
hope that helps.
How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.
hope that helps.
ASKER
Datacenter -->ReadOnly
-->Machine Level1 (grant administator access below)
-->Machine Level2 (grant administator access below)
-->Machine Level3 (grant administator access below)
There is an active directory group for MachineLevel1, 2,3 and I add the appropriate people to the proper groups. The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.
The machines are all part of the same resource pool... they are separated into a number of folders {just a logical divider I know :) } The folder level is where I place the permissions for each group. I would like to allow people to be able to add machines at this level but nowhere else. I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.
Thoughts?
-->Machine Level1 (grant administator access below)
-->Machine Level2 (grant administator access below)
-->Machine Level3 (grant administator access below)
There is an active directory group for MachineLevel1, 2,3 and I add the appropriate people to the proper groups. The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.
The machines are all part of the same resource pool... they are separated into a number of folders {just a logical divider I know :) } The folder level is where I place the permissions for each group. I would like to allow people to be able to add machines at this level but nowhere else. I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.
Thoughts?
Do you have Virtual Machine - Inventory - Create as a privilege?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Partial Answer to my problem...but worked
For example, I can create a user account with standard privileges and then create a new Role in VirtualCenter which enables the account to manage the respective area where I assign permissions.