Users/Groups in vsphere 5.1 intigration

Currently the devs used a  script  that uses a single user - security & accountability = bad

1) Setup up a groups system whereby dev1 and dev2 and in future lots of devs can have access to vsphere via Production Domain group membership (ie ability to create/delete vms but only those belonging to/created by their "group")

NB: This would also give users like dev1/dev2 the ability to log into vsphere to see vms created etc.

My initial thought is an AD group, but I am not sure how to proceed past that?

Its a 5.1 vSphere environment
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
We do this, we create a Developers Active Directory Group, and then we add this group to folder view in vSphere permissions, so when developers access via vSphere they only see folders in their environment, and hence VMs.

So, switch to VMs and Template view, create folders, put VMs into folders, and then select permissions, and add your AD Group, and select a Role for that group.

Permissions on folders, is granted, By Right Clicking the Folder, and adding their Account or Group.

see here for the official VMware docs, Chapter 6, Page 71

vSphere Security

The following is a screenshot from out Developers View, when the log into our vSphere Cluster, which hosts, at least 1,500 VMs, across 40 hosts.

Developer View
they only see and manage, what VMs, we give them access to, they have no idea, there are any other VMs.
piedthepiperAuthor Commented:
IS there a way to limit how much resource they can use, otherwise the devs could go crazy and max out the environment?

Please dont say resource pools lol
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
That's what Resource Pools are for.....(apart from disk size!) - only CPU and Memory.

but it depends what permissions you give them, if you create their VMs, and they cannot change, memory or CPUs, then there is no issue.

There is always an element of trust that you must apply, if they break that trust, then you remove their rights completely and they go back to the dark ages.

For protection, we actually have Resource Pools in use for some groups, but we do not tell them.

It does depend on how much resource you have available in your cluster...
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

piedthepiperAuthor Commented:
Is it possible to link a folder to a specific Cluster or resource pool?

So if they create a vm in that folder, I know it will go to the Dev cluster or dev resource pool?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Folders and Resource Pools are both different both can be allocated permissions.

A VM can be in a Folder and Resource Pool, but you cannot link a Folder to a Resource pool.

So you need to first, decide if you require Resource Pools for these users, and allocate permissions to Resource Pools, where there VMs will be created.

A folder is purely just a cosmetic method of sorting, or collating VMs in a single place.
piedthepiperAuthor Commented:
What about creating a cluster folder?
and assign rles/permissions to that folder, so they can only access that cluster?

for example a dev cluster?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You cannot create folders in a Resource Pool.
piedthepiperAuthor Commented:
In the web client it is possible to create a hosts and clusters folder, you cant do this in the thick client from what I can tell, so this is a 5.1+ feature.

Could I create a hosts and clusters folder called Dev and add those hosts to it, and then give the developers AD group access to it with the correct vcenter permissions.

So that way they could only get access to those resources in that folder?

This way they have access to a finite set of resources and there is no chance of it impacting production?
The building of VM and allow user's set assign resources to a certain about sounds like "Self-Service" to me. using vCloud...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piedthepiperAuthor Commented:
This may end up being something like vCloud, although they are unsure yet
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.