vCenter

 View Only
  • 1.  Assigning permissions

    Posted May 19, 2021 09:16 PM

    We would like to assign permissions for group (useres ar in vsphere.local domain) to allow members of this group to create, import (from ovf or from content library) and modify VMs only in specified:
    - cluster or resource pool (hosts and cluster view),
    - folder (VMs and templates view),
    - datastore (Datastore View),
    and assign only specified networks to VM's created by those users.

    Those users must not see vms, hosts, clusters, datastores, networks, etc. other than they are allowed to.
    They must not see VMs created by users uside this group and they must not see resources other than they are allowed to use.
    Assiging permissions should be done not at the SSO level, but on vCenter or lower levels.
    How can we achieve that?



  • 2.  RE: Assigning permissions

    Posted May 20, 2021 08:02 AM

    Specifically the part about them not seeing VMs created by other users, do you mean in the same folder as the VMs they create themselves?

    If so, I don't think you can do that natively.

    The rest should be achievable I think - just be granular on the objects you do want them to have access to: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-4D0F8E63-2961-4B71-B365-BBFA24673FDB.html

     



  • 3.  RE: Assigning permissions

    Posted May 24, 2021 10:09 AM

    thanks for reply.

    I meant they should not be able to see hosts and VMs in "Hosts and Clusters"  view.
    Partially I can achieve this by creating resource pool for them, bu that is just no very good workaround.

     

    --
    Best regards,
    Tom

     

     

     

     



  • 4.  RE: Assigning permissions

    Posted May 24, 2021 12:08 PM

    So you'll need a combination of some of the tasks in that previous link I posted (eg. create a VM, power on a VM, install a guest OS), and just be very specific on which highest-level objects you assign the various permissions.

    I would definitely suggest having a test user account, it may take a bit of trial and error to get it working exactly how you want.

     



  • 5.  RE: Assigning permissions

    Posted May 24, 2021 12:15 PM

    That is right. I'll go ahead with expanded privileges and do some tests on dummy user account.

    Thanks.