currently we are planning a major permission change in our vSphere environment. I think everybody who has tried to be more restrictive has quickly realized that the permission structure inside vCenter is a real pita.
If you are using Storage Policies, VM Customizations, Tags etc. it gets even crazier. These 3 things require permissions directly on the vCenter object which enables users to see more of the infrastructure without even having "real" permissions on it.
Back2Topic: We are trying to hide specific Tags, but from what I've seen, this is currently impossible. You can permit the users to assign only specific tags but you cannot hide them.
The hilarious thing is that this documentation is misleading:
This sentence does describe my problem, but it does not work:
For example, if you grant the Assign vSphere Tag privilege to user Dana on host TPA, that permission does not affect whether Dana can assign tags on host TPA. Dana must have the Assign vSphere Tag privilege at the root level, that is, a global permission, or must have the privilege for the tag object.
A user who has no permission on the vCenter level, cannot see any tags even if you assign them permissions directly on the tag. The crazy thing is: if you give the user any permission (e.g. if you want that the user can read vm customizations or Storage Policies) he can read all Tags, but assign only the ones where he has the "Assign or Unassign Tag" permission.
Maybe this is a bug in the GUI and using the API it would work. I've tried it with 6.7 U3k and 7.0 U1c, both have the same behavior.
Is there anyone out who had more luck doing this or am I overseeing something?