vCenter

 View Only
  • 1.  Permissions on datastores - create snapshot but not new VM

    Posted Feb 18, 2013 04:36 PM

    Is there a way to create a role such that adminstrators can create snapshots on existing datastores but not provision new VMs on that datastores?

    We'bring up new storage and want to ensure that all new VMs get created over there, but not lock out the admins from doing work on the old datastores.  Is this possible?

    It was my understanding that the permission "Datastore/Allocate space" is required to create a snapshot.

    We're running vCenter 5.1 with 5.0 on the hosts.

    Thanks!



  • 2.  RE: Permissions on datastores - create snapshot but not new VM

    Posted Feb 19, 2013 03:16 AM

    Yes, this is techincally possible, but sounds like more of a process issue than anything :smileywink: Your only real option is to create a new role and assign it the permissions you desire on the storage objects you are referring to. Then assign your users/groups to this role. This works because the most specific permissions always win. See chapter 4: http://pubs.vmware.com/vsphere-50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf. To be honest, I feel this is more work than it is worth. I would advise working on the process by which users provision systems.