VMware vSphere

I've been struggling with this- ensuring that our users have the minumum permissions on our ESX VC system. When we first set up our first ESX cluster and VC, we gave everyone VM Admin permissions on their own folders and VM's, as well as VM Admin privs on the datacenter, cluster and host server (without propagating thos permissions past past the host server). This allows users to mess with VM advanced settings, like CPU affinity, which screws up Vmotion on the ESX cluster. So, what I've done is clone the VM Admin role and remove anything that allows the user to edit advanced settings on the VM, or anything on the host except create/remove VM's. So far, All of the users can edit their VM's (but not the advanced settings), take and manage snapshots- they can do everything they need except clone a VM.

The way permissions are set up: put the most permissions at the top of the heiarchy, and then limiting them as you drill down the ladder (something VMware tech support had us do when we initially set up our system two years ago). For the sake of the explaination, we'll call my altered VM Admin role as Company User.

On the Hosts and Clusters view, the typical user has Company User privs On the Hosts and Clusters object, which is propogated down to the datacenter object, cluster object and host server objects. At the Host server, the role is changed to not propogate any further. On any datacenterthat the user is not supposed to access, the permissions are change to "no access".

On the Folders and Templates view, the Company User role is assigned to the user at the Folder and Templates object, and allowed to propogate down through the datacenter object. On each of the folders under the datacenter object, the user is either change to "no access" if they're not supposed to access that folder, or the permission is allowed to propogate.

Here's the permissions I have set up on the Company User role:

• Global

• Cancel Task

• Host

• Local Operations

• Create Virtual Machine

• Delete Virtual Machine

• Virtual Machine

• Inventory

• Create

• Remove

• Move

• Interaction

• Power On

• Power Off

• Suspend

• Reset

• Answer Question

• Console Interaction

• Device Connection

• Configure CD Media

• Configure Floppy Media

• Tools Install

• Configuration

• Rename

• Add Existing Disk

• Add New Disk

• Remove Disk

• Change CPU COunt

• Memory

• Add/Remove Device

• Modify Device Settings

• Settings

• Upgrade Virtual Hardware

• Reset Guest Information

• State

• Create Snapshot

• Revert Snapshot

• Remove Snapshot

• Rename Snapshot

• Provisioning

• Custommize Clone

• Clone

• Create Template from VM

• Deply Template

• Clone Template

• Mark as template

• Mark as virtual machine

• read customization specifications

• Allow Disk Access

• Resource

• Migrate

• Relocate

• Scheduled Task

• Create Tasks

• Remove Task

• Run Task

• Modify Task

Finally, this is a VirtualCenter 2.5.0 build 104215, and the ESX servers are running ESX 3.5.0 build 120512

You are overthinking this. You have to apply Admin priveleges to the top level object, either ESX host or Cluster. don't propagate the permissions, only give them access to that object only. Then go down where they need access to the container, either pool or VM level, and apply appropriate VM user / Admin / Power user with those permissions included.

That should work. When you give a person to JUST an object, there is no inheritance, and that top level object has no way to let them see the disks, which is why they can't deploy. but giving them access at the top level then changing access on the actual object later will fix this.

I don't think Dagnabbit is overthinking this, but was lead down the wrong path initially by tech support. This end goal is what everyone's should be, to provide "minimum" permissions. Using "no access" to manage permissions is an absolute nightmare.

Now, I don't see an actual question in your post, but from the subject, it appears your specific question is how do I assign cloning permissions? In your current config, I don't know. From a scratch config, I believe you need a role with at least the following privileges:

• VM -> Inventory -> Create

• VM -> Interaction (all)

• VM -> Provisioning -> {Deploy Template, Clone, Customize Clone}

• Resource -> Assign VM to Resource Pool

Then assign this role to the Resource Pool you'll allow the users to create/manage their VM's. You also must assign the role to a Folder, where the users will be able to place their VMs. You may also want to create a role that provides access to the Customization Specifications, if they'll need to customize clones during deployment. VM -> Provisioning -> Read Customization Specifications, assing at root of Hosts & Clusters (no prop).

I just found this guide, which was helpful for setting permissions to allow VM creation. It looks like there are several other minimum permission scenarios as well.

It would be really nice if there was a more official VMWare-published guide for all of this stuff. I haven't done an exhaustive study, but there does not appear to be an easy way to determine which permissions are being checked and for what objects during a particular operation. Something like that would take away all the guesswork.

http://viops.vmware.com/home/docs/DOC-1211

Just wondering any new updates to this discussion in regards to VMware guidelines for minimum permissions?

Also, I tried to get to the document above could not find it.

Thanks

Hi Guys , I can see its an old post , but for next visitor . Full list here

vSphere Documentation Center

That was just what I needed.  For future visitors, the reference is to the vSphere 5 documentation so below is the URL to the vSphere 6 documentation:

VMware vSphere 6.5 Documentation Library