vCenter

 View Only
  • 1.  Content Library Configuration

    Posted Oct 05, 2020 02:36 PM

    Has anyone figured out how to give a vCenter consumer access to the Content Libraries without full vCenter privileges?

    We have use cases were consumers can login to vCenter and only see their Resource Pools, Folders, Templates, Networks, Storage. But, to allow them to consume the Content Library for vAPPs, ISOs, etc. seems to only be possible if we make the entire vCenter inventory visible.

    Have tried to implement only Content Library permissions in a specific global role, but this for some reason makes all of the vCenter inventory visible.



  • 2.  RE: Content Library Configuration

    Posted Oct 06, 2020 06:05 AM

    Hey Dr.Virt

    You need to apply the permissions over the Library object. Of course if you want the users to also create libraries and delete them, then you will need to give permissions onto the vCenter level: Content Library Privileges



  • 3.  RE: Content Library Configuration

    Posted Oct 06, 2020 08:09 AM

    Hi, you need to create a 'separate' role for Content Libray and apply as a 'GLOBAL' permission.

    Items such as TAGs and Content Library are global permission.

    In summary have one role for Content Library and another for as per your requirement.

    I did same and it works



  • 4.  RE: Content Library Configuration

    Posted Oct 06, 2020 12:11 PM

    Hey, hope you are doing fine, maybe this graph will clarify ow permissions are assigned on content libraries, it helped me a lot:

    Source: Hierarchical Inheritance of Permissions for Content Libraries  



  • 5.  RE: Content Library Configuration
    Best Answer

    Posted Oct 06, 2020 12:29 PM

    Okay, finally got it all to work.

    1) Create role with permissions to read and add to the content library.

    2) Apply to Global with apply to chlidren option for AD user group.

    3) Create role with permissions to deploy and manage virtual machines.

    4) Apply No Access role with apply to children to each vCenter for AD user group.

    5) Apply manage virtual machines role to specific resources (resource pool, folder, network, vsan, etc.)

    Now when users are added to group in AD, they can login to vCenter and only see their resource pool, folders, networks, etc. while still being able to use the Content Library for approved ISOs and templates.