Vmware Infrastructure Roles and Permissions quest

Hello..

My question involves roles and permissions within Virtual Infrastructure.
We are running about 100 virtual machines hosted across several esx servers.
We are using Virtual Infrastructure 2.5 U3 to manage these machines. This is
setup for several groups of users/admins.  


Datacenter Admin group/ Everyone Read access
   -Cluster
       -MachineGroup1 {just a folder} / Group1
          -Server1
          -Server2
          -Server3
       -MachineGroup2 / Group2
          -Server1
          -Server2
          -Server3
       -MachineGroup3 /Group3
          -Server1
          -Server2
          -Server3
       -MachineGroup4 / Group4
          -Server1
          -Server2
          -Server3

There is an admin group for the datacenter that allows full admin access for all machines
and another group at the datacenter level set for readonly access.   Each machine group
then has a group associated with it so I can let users administer their set of virtual machines
without them touching other virtual machine groups.

The way things are setup now...  the standard groups are only able to see/manage their individual groups
but not anyone else's machines.   Admins are able see all machines/full control/etc.

What I am trying to figure out is how to allow users to create virtual machines within their
machinegroup but nowhere else.  I have setup a custom role and assigned various permissions but I keep running into a permission denied error when I need to select the cluster for the new machine.

Any help would be appreciated...  :)
LVL 1
fertigjAsked:
Who is Participating?
 
jodiemrCommented:
If your "folders" are resource pools, the problem with this, if one guy has access to make VM's all day in Machine Group1, then this will impact the resource allocation for the whole datacenter.  It is best if the god administrator is the one making the VM's and then he can adjust the resource pools accordingly.
This
0
 
kumarnirmalCommented:
VirtualCenter does not depend upon Windows Administrative Privileges when defining roles.
For example, I can create a user account with standard privileges and then create a new Role in VirtualCenter which enables the account to manage the respective area where I assign permissions.
0
 
philtpaikCommented:
So from reading your post, it looks like you set up roles and assigned users to the role already. Do you have each role designated to the machine groups? You wont have them at the datacenter level if you want them to only have access to their machine groups.

How do you have your machine groups seperated? If you have it by clusters or resource groups, you can just click on the permissions tab and see the user and role assigned to that cluster or resource group. If you have this setup correctly then I would assume the permissions for the role need to be defined.

hope that helps.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
fertigjAuthor Commented:
Datacenter  -->ReadOnly
  -->Machine Level1 (grant administator access below)
  -->Machine Level2 (grant administator access below)
   -->Machine Level3 (grant administator access below)

There is an active directory group for MachineLevel1, 2,3  and I add the appropriate people to the proper groups.   The only reason I have ReadOnly at the datacenter level is VI 2.5 had a bug ... if people did not have read access at this level they were not able to see their machines below.

The machines are all part of the same resource pool...  they are separated into a number of folders {just a logical divider I know :) }    The folder level is where I place the permissions for each group.  I would like to allow people to be able to add machines at this level but nowhere else.  I am trying to create a custom role for this..and I need to figure out what permissions are needed for this.

Thoughts?
0
 
philtpaikCommented:
Do you have Virtual Machine - Inventory - Create as a privilege?
0
 
fertigjAuthor Commented:
Partial Answer to my problem...but worked
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.