VMware vSphere

Hellos!

I'm running ESXi 5 on a root server, and would like my users to be able to mount ISO images from a local datastore in their respective VMs.

I created a role to allow them to start/stop/reset etc. their VM, which works nicely. But I'm stumped as to which permissions I need to set where to allow them to browse and set an ISO image for their virtual CD drives. The "Browse Datastore" permission, set for the VM and the server, doesn't really help.

Any ideas are welcome! :smileyhappy:

I should add that I'm using the free hypervisor and the VSphere Client to connect to a single ESXi directly. No VCenter or stuff.

The roles is listed under Virtual Machine > Configuration > Settings.

I'm sorry, I can't find that option... What exactly are you referring to?

Also, I previously created a role with the "Browse Datastore" permission and assigned that to the user, both on VM and on Host level, but they still cannot use the Browse button in the CD-ROM settings of their virtual machine.

Is the user allowed to "Configure CD Media"?

Yeah, they are... I turned on all permissions in the "Interaction" group.

They can change the settings of the CD drive just fine, as in switch from "Host drive" to "client drive" and stuff, but they cannot Browse the datastore, and even when I paste a path+filename which I know exists in the ISO image file edit box, the client tells me that the file does not exist (like the user has no right to access/see/browse it).

So I'm wondering, what permission do they need to set the ISO image...

Sorry for the late reply,

I can choose a local datastore ISO and create a new VM with the following priviliges on a standalone ESXi 5:

Datastore > Allocate Space

Datastore > Browse Datastore

Host > Local Operations > Reconfigure virtual machine

Resource > Assign virtual machine to resource pool

Virtual Machine > All (but this could/should be more restrictive)

Hello Tsjo!

No problem about delay.

I'm sorry, but I tried the permissions you listed, and the user in question still cannot click Browse to select ISO, nor does he see the datastore in the overview screen.

I'm wondering if there's some configuration problem; actually I figured that "Browse Datastore" should be sufficient.

That's odd.

Just to make sure, has the role the user belongs to been assigned to the ha-folder-root?

Aaah, no, I had it assigned to a specific VM. I'll try it with the ha-root shortly. Need to adjust the permissions then though, since not all users should be allowed to manage all VMs. :smileyhappy:

Okay, I attached the "Browse Datastore" right to the ha-folder-root now and turned on "Propagation". Then the user in question can finally browse the datastore and assign an ISO.

Problem is though: Turning that on also allows the user to see (not edit) the other virtual machines on the server. Logically - when they can browse the datastore, they see all the VM directories. Not that I have terrible big secrets in that regard - after all they can only see the files but not open/read/change them, but still, I don't feel too comfortable with that fact.

It'd be perfect if the "Browse" right could be attached to a specific directory, or datastore, namely the one where I store my ISO files. But it seems that is not possible?

Odd thing is: They even can - in addition to browsing the datastore - also see all the VSphere client tabs (like Summary, Virtual Machines, Resource Allocation) for all the VMs, they just can't edit stuff there. How is that possible from just giving them the "browse datastore" right?

I should think that being allowed to browse folder contents should not give them the right to see all the resource allocations and performance graphs and stuff.

In a standalone ESXi I can't find a way to lock a user to a  specific datastore folder, it is possible in a vSphere enviroment though.

I'm not in my lab right now, but Browse Datastore should not enable the user to see all client tabs as well.

What if you add the role to the root folder, but don't propagate it and then add the priviliges with propagation on a folder the user is allowed to work inside.

Yeah, I figured VMWare would restrict such "advanced" feature to a version that costs money. :smileyhappy:

When I turn off propagation, the "Browse" doesn't work unfortunately. Also the datastore disappears from the user's view then.

I'm assuming the right needs to be attached to some level between the ha-root and the VMs, unfortunately I can only see two levels in the inventory. The host, and the VMs beneath it. There's nothing inbetween to which I could assign the browse right. Okay, I could create a "resource pool", but I don't think that has influence on datastore browsing.

My bad, folders are also only available in vSphere...

Fine-tuning the priviliges might restrict the user from viewing various tabs not belonging to his specific VM, but we're still stuck with the global read-only that allows him to see every VM on the host.

Okay, I'm reaching the conclusion at this point that requested function is actually only doable, at least in a feasible way, in the full version and not the Hypervisor. Do you agree?

I'll mark your first reply as "correct answer" anyway, since you took the time to try and help me, for which I'm grateful! :smileyhappy:

Maybe I'll get a VCenter license some time, but my usage pattern doesn't make me anywhere near enough income to compensate for the license cost. :smileysad:

Yeah, I do agree and I think it was a interesting exercise.

Thanks for the points, and I'm glad I was able to help in some way.