VMware vSphere

 View Only

  • 1.  Permissions for a user to change network settings

    Posted Apr 06, 2017 04:21 PM

    I know this should be easy but when I set these permissions the user can't see the DISTRIBUTED SWITCH options in edit settings for VM's.

    Enabling the vCenter Server permissions required to modify virtual machine network settings (1020934)

    Purpose

    This article provides steps to enable the vCenter Server permissions required to modify virtual machine network settings.

    Resolution

    To modify virtual machine network settings, you require these permissions:

    • Network > Assign Network
    • Virtual Machine > Configuration > Modify device settings
    • Virtual Machine > Configuration > Settings
    To enable these permissions:
    1. Connect vSphere Client to vCenter Server.
    2. Click Home.
    3. Click Roles.
    4. To create a new user role, right-click on a blank area and select Add.
    5. Enter a name, For example, VM Network Admin.
    6. Expand Network and select Assign network.
    7. Expand Virtual Machine > Configuration, select Modify device settings and Settings.
    8. Click OK.
    9. Add permission for this user at the datacenter level and assign the role to this user.

    Suggestions?



  • 2.  RE: Permissions for a user to change network settings

    Posted Apr 08, 2017 07:42 PM

    Hi what is your requirement?
    For a user to change network settings of a VM or for user to change Distributed Switch configuration?

    I've tried the same settings and the user is able to change the network settings of a VM selecting a Distributed Switch PortGroup

    Make sure to assign the user permission at the ​Datacenter​ level



  • 3.  RE: Permissions for a user to change network settings

    Posted Jul 18, 2018 09:34 PM

    Assigning at the datacenter level should not be a requirement.  Vsphere explicitly states that VDS permissions can be assigned at the datacenter level or a folder containing the VDS.  We need to do the latter to limit permissions to a subset of our VMs.



  • 4.  RE: Permissions for a user to change network settings

    Posted Jul 19, 2018 02:11 AM

    The KB says:

    9. Add permission for this user at the datacenter level and assign the role to this user.

    I haven't tried assigning permission on the folder level, but as a workaround you can still assign on datacenter level then assign 'No Access' on other folder for that user/user group or other VMs so the user/user group would only see the VMs without 'No Access'



  • 5.  RE: Permissions for a user to change network settings

    Posted Jul 18, 2018 09:33 PM

    I am having this same issue and would love to find a resolution.  I have assigned the necessary permissions at the VM and VDS level using a folder, I do not want to assign at the datacenter level because it would give the users permissions on too many VM's, not just the ones we are interested in effecting.



  • 6.  RE: Permissions for a user to change network settings

    Posted Jul 27, 2018 05:36 PM

    BIt of an old post but I've just come across this situation and had a bit of a play around with it.

    Assuming the user has permissions to modify the VM...

    1. If the user also has access to just the portGroup or a Network Folder ('assign network' permissions), they will be able to add a new network adapter and select the desired portGroup.

    2. If the user also has access to just the portGroup or a Network Folder ('assign network' permissions), they will not be able to modify an existing network adapter and assign it to a different port group. For this to work, the user needs read-only access to the host (or cluster) where the VM is located.

    I guess the process of modifying a network adapter must query the host to see which portGroups it can access, while adding a new network adapter does not. The KB suggests giving access at the Datacenter level, which would in turn give access to the Cluster/Host.

    Hope this is of some use.