VMware vSphere

Hello!

I am trying to set up an environment for my students using the ESXi and VCSA 6.7 from VMAP. I have everything done, except for the networking. I have set up a Distributed Switch and individual Distributed Port Groups for each class. I have created a role with that allows students to assign networks, but when I create a new permission, assign the role to the Distributed Switch, and check the box for Propagate to children, it doesn't propagate. The newly assigned permissions show up on the switch, but not on any of the associated port groups.

Permissions propagate for folders, resource pools, and datastores, so I feel like I am missing something because it isn't working for networks. Is that working as intended or is it a bug? Has anyone come across this and have a solution?

Edit: I downloaded and performed a clean install of VCSA 7 to see if it solved the problem, but it didn't.

One of these may help:

Network Privileges

dvPort Group Privileges

 that doesn't help.

Does anyone know if this is a known problem at vmware? We're experiencing the same on the latest vCenter version 7.0U3e

 
I have no idea, if you check my signature I'm here on the forums the same as any other user, I don't have any magical connections to those who would be able to answer your question.

sorry I didn't notice your signature and thought you were from tech support or similar.

the second line of my post was also more addressed to other users, maybe someone already had an SR for this

I have the same problem, if you apply "No Access" permission at vDS level, it is not propagated to portgroups.

Permissions hierarchy says that PG is below vDS but this hierarchy is not working.

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-03B36057-B38C-479C-BD78-341CD83A0584.html

I've run into this issue now as well.  Distributed switch security doesn't seem to propagate to the vdPort groups, even when the Propagate to Children box is checked. I've tested this in a sandbox environment with a fresh VC installed and it behaves the same way.

I had the same issue, the work around was to create a network folder and move the distributed switch into the folder, then apply the permissions on the folder and have it propogate. That should ensure the permissions propogate to your distributed switch and port groups.

Looks like this problem has persisted for some time now.  I'm experiencing the same problem.  Has anyone found a solution?

This occurs because the relationship between distributed switch and portgroup is not a direct parent-child relationship as can be seen from the managed object browser of the vCenter Server i.e. both are child objects of the parent 'network' folder.

From https://<vc_fqdn>/mob if you browse to 'content -> rootFolder -> childEntity (select relevant datacenter) -> networkFolder' you can see that childType is Folder, Network and DistributedVirtualSwitch so they are all child objects of the parent folder rather than each other.

The workaround is as mentioned above to
1. Create a new network folder
2. Move the vDS inside this new network folder.
3. Add permission at network folder level with box "Propagate to children" checked

That makes sense then.  Thanks for your response.