[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Vmware Infrastructure Roles and Permissions quest

Posted on 2009-02-17
Medium Priority
Last Modified: 2012-06-27

My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.  

Datacenter Admin group/ Everyone Read access
       -MachineGroup1 {just a folder} / Group1
       -MachineGroup2 / Group2
       -MachineGroup3 /Group3
       -MachineGroup4 / Group4

There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access.   Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.

The way things are setup now...  the standard groups are only able to see/manage their individual groups
but not anyone else's machines.   Admins are able see all machines/full control/etc.

What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else.  I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.

Any help would be appreciated...  :)
Question by:fertigj

Expert Comment

ID: 23667788
VirtualCenter does not depend upon Windows Administrative Privileges when defining roles.
For example, I can create a user account with standard privileges and then create a new Role in VirtualCenter which enables the account to manage the respective area where I assign permissions.

Expert Comment

ID: 23668450
So from reading your post, it looks like you set up roles and assigned users to the role already. Do you have each role designated to the machine groups? You wont have them at the datacenter level if you want them to only have access to their machine groups.

How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.

hope that helps.

Author Comment

ID: 23681091
Datacenter  -->ReadOnly
  -->Machine Level1 (grant administator access below)
  -->Machine Level2 (grant administator access below)
   -->Machine Level3 (grant administator access below)

There is an active directory group for MachineLevel1, 2,3  and I add the appropriate people to the proper groups.   The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.

The machines are all part of the same resource pool...  they are separated into a number of folders {just a logical divider I know :) }    The folder level is where I place the permissions for each group.  I would like to allow people to be able to add machines at this level but nowhere else.  I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 23696569
Do you have Virtual Machine - Inventory - Create as a privilege?

Accepted Solution

jodiemr earned 1500 total points
ID: 23789405
If your "folders" are resource pools, the problem with this, if one guy has access to make VM's all day in Machine Group1, then this will impact the resource allocation for the whole datacenter.  It is best if the god administrator is the one making the VM's and then he can adjust the resource pools accordingly.

Author Closing Comment

ID: 31548116
Partial Answer to my problem...but worked

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question