Vmware Roles

Vmware Roles


vm
I have Vmware Roles displayed in the screenshot above.
I have an Active Directory Group name (Vmware-Administrators) which has Vmware Administrator Role.

My Question is if I put that group(Vmware-Administrators) right under the top folder pointed to by the top red arrow, the folder named "DataCenters" or I put it right under the DataCenter icon named(MyDatacenter) pointed to by the bottom Red arrow , will this make any difference since I have only one DataCenter ?

Initially, I thought since I have only one Datacenter then it does not make difference, but I realized I was wrong. the AD group (Vmware-Administrators) was not able to take a snapshot of the Vcenter when it was put under the Datacenter icon (MydataCenter), when I moved it under "Datacenters" folder, the group was able to take snapshot of the Vcenter without issue.

Any Clarification about what made difference ?

Thank you
jskfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It really comes down to WHERE you want to allocate the permissions, and permissions which are propagated down the tree.

If you put under the first  datacentre icon, view this as GLOBAL PERMISSION.
0
jskfanAuthor Commented:
But if you have just one Data Center then what's the meaning of the folder "DataCenters" on the top ?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
GLOBAL PERMISSION TO EVERYTHING. which is managed by the vCenter Server object....

if you add an Administrator at this level, they can create new DCs....

If you look at the Inventory View > Hosts and Clusters

the name of your vCenter Server is at the TOP above your friendly name for the Datacentres you have created. This is that GLOBAL Permissions....

If you want to add someone which has Global Rights, you add them here, and that right should be propagated.... down the tree...

if you want to add someone access only to DC1 add them there....

It's understanding what permissions you want to give, at which level and to what....
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

jskfanAuthor Commented:
I had issue taking Snapshot of the  Vcenter when the account had permissions at the Datacenter (Mydatacenter) level.
when I moved it up  to the folder (Datacenter) , the account was able to take snapshot of Vcenter.

Eventhough the Vcenter is located under Mydatacenter.


**Where do you verify the permissions given to each Role ?
0
jskfanAuthor Commented:
**Where do you verify the permissions given to each Role in vsphere client ?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
When it's added to a folder, I think you may also have a propagation issues, did you remember to click it....?

when adding the permissions against the role.

If the permissions is not propagated down the tree - you've only given permission to that folder... and no others!

Simple check - check permissions on the VM and folder..... if it's not there it's not propagated, because the tick box was missed.
0
jskfanAuthor Commented:
**Where do you verify the permissions given to each Role in vsphere client ?
0
jskfanAuthor Commented:
Simple check - check permissions on the VM and folder
where can I check that ? especially on the folder
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if you look at the folders, click the permissions tab
0
jskfanAuthor Commented:
sorry.. should rephrase it this way:

looking at the screenshot I posted above.
in the Roles window, there is the top folder and the DataCenter

Usually DataCenter includes Clusters, Hosts, Resource Pools ,Vapps and VMs
The Top Folder will include just DataCenters...in our case we have just one

- The account had administrator Role at the Datacenter level , it was not able to take  Snapshot of the Vcenter
- I moved the account at the folder level keeping its Role as Administrator, and was able to take snapshot of the Vcenter successfully.

How to explain that ? what was the magic behind it ?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Global permissions had then be assigned to the account and had propagated to every object.

when you added it to Datacentre, it only applied to Datacentre. - no other object!
0
jskfanAuthor Commented:
We know that  DataCenter includes Clusters, Hosts, Resource Pools ,Vapps and VMs
so what objects are in the Global (top folder) ?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
EVERYTHING! that your vCenter Server Manages!

which includes your Datacenter, that you've created, but could also include, other Datacenters...

Think of it as "Super Users" and then "Administrators"
0
jskfanAuthor Commented:
EVERYTHING! that your vCenter Server Manages!

which includes your Datacenter, that you've created, but could also include, other Datacenters...

Think of it as "Super Users" and then "Administrators"

===========
Andrew,
there is misunderstanding

-- If you add the account  at the DataCenter Level , either the account has a Role of Administrator or other Role, this will  give the account the permissions on these Objects:
Clusters, Hosts, Resource Pools ,Vapps and VMs
Which I Initially did and the account  not able to take snapshot of Vcenter

---If you add the account  at the top folder level, which Objects that the account will have permissions on ?

***To summarize, I need to know which Objects reside at the top folder and do not reside at the DataCenter level.

There must be something that enabled the Account to take snapshot of the Vcenter at the top folder level, and that "something" does not exist at the Datacenter level
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Please add the user group, and then look at the object in vCenter Server, and look at the permissions tab.

Also the Snapshot function can be added or removed from the role.

Also check the role which has been defined.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
Thanks Andrew,
I will take a look...
Though I beleive the Snapshooting of the Vcenter issue was Backup software related
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.