We help IT Professionals succeed at work.

Vmware Infrastructure Roles and Permissions quest

fertigj asked
Medium Priority
Last Modified: 2012-06-27

My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.  

Datacenter Admin group/ Everyone Read access
       -MachineGroup1 {just a folder} / Group1
       -MachineGroup2 / Group2
       -MachineGroup3 /Group3
       -MachineGroup4 / Group4

There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access.   Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.

The way things are setup now...  the standard groups are only able to see/manage their individual groups
but not anyone else's machines.   Admins are able see all machines/full control/etc.

What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else.  I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.

Any help would be appreciated...  :)
Watch Question

VirtualCenter does not depend upon Windows Administrative Privileges when defining roles.
For example, I can create a user account with standard privileges and then create a new Role in VirtualCenter which enables the account to manage the respective area where I assign permissions.
So from reading your post, it looks like you set up roles and assigned users to the role already. Do you have each role designated to the machine groups? You wont have them at the datacenter level if you want them to only have access to their machine groups.

How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.

hope that helps.


Datacenter  -->ReadOnly
  -->Machine Level1 (grant administator access below)
  -->Machine Level2 (grant administator access below)
   -->Machine Level3 (grant administator access below)

There is an active directory group for MachineLevel1, 2,3  and I add the appropriate people to the proper groups.   The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.

The machines are all part of the same resource pool...  they are separated into a number of folders {just a logical divider I know :) }    The folder level is where I place the permissions for each group.  I would like to allow people to be able to add machines at this level but nowhere else.  I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.

Do you have Virtual Machine - Inventory - Create as a privilege?
If your "folders" are resource pools, the problem with this, if one guy has access to make VM's all day in Machine Group1, then this will impact the resource allocation for the whole datacenter.  It is best if the god administrator is the one making the VM's and then he can adjust the resource pools accordingly.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Partial Answer to my problem...but worked
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.