VMware vSphere

Guys,

I have a weird situation. I have a cluster of ESX 3.0.1 hosts that are managed via Virtual Infrastructure 2.0.2. I'm trying to setup permissions such that an AD security group has VM User access to VMs in a particular resource pool. My structure is as follows:

Datacenters

MyDataCenter

MyCluster

Development Servers resource pool

VMs….

Production Servers resource pool

VMs…

Citrix Servers resource pool

VMs….

DCs resource pool

VMs….

I have some AD security groups including:

Domain\vmDCAdmins

Domain\vmCitrixAdmins

I've set the vmDCAdmin group as "Virtual Machine User" at the DC resource pool level and propagated the permissions down to the actual VM under the DC resource pool. I also set the VMDCAdmin group as "Read Only" on every[/b] parent object up to and including the datacenter. No problems when I log on to the VC Server via the VI client. I see only the DC resource pool and the vm within it. However, when I use the VI web client, I can log on, but I do not see any virtual machines. I've tried various configurations but get the same result. The ONLY way I have been able to see any virtual machines is to set the vmDCAdmin as "Read Only" at the datacenter level AND[/b] to propagate to all child objects. I can then see all VMs via the web interface. Clearly this is not desirable. Is there some sort of bug, or is this by design? BTW I can successfully see the vms when I log on via the web interface with my domain admin account, so its not as if I can never see virtual machines via the web interface. I can also individually access the vm via the VM URL specific address.

Any assistance greatly appreciated.

RB

In general, there is no reason to grant permissions at the parent objects, just to see the subset of resources you require. Is there a particular reason you're granting RO to each parent object all the way up to root?

If you grant permissions only to the VMs the users need, the viewing rights are implied that allow the user to drill down to the VMs.

Also, when you're using the web interface, are you connecting to the host or VC web service?

I was granting permissions up the tree because I read that was a requirement in previous posts. I've tried just adding the vmuser role to the vm only and it worked! However, when I apply the vmuser role to the resource pool and propogate down to the vm within it, I'm back to logging on but not getting the vm. Shouldn't this work at the resource pool level?

I'm using the web interface to connect to the VC server web service.

RB

Where you say its not working when propagated from the Resource Pool (instead of a single VM), is this via the VIC or the web service?

Have you tried both and both don't work correctly, or is it just the web view thats incorrect? One thing you may want to consider is try applying the permissions at a Folder instead of the Resource Pool. I'm not sure this will help, but its worth a shot. (make sure you have folders that reflect the resource pools)

Hello,

When settings Roles and Permissions through our your tree, remember, the permission used is the most restrictive permission for the branch of the tree the user is trying to access.

So if at Level 2 of the branch you have R/O and at Level 4 you have VM user, the Level 2 setting of R/O is what is used.

It is best to just set one Role and Permission at the position of the branch you require.

Now somethings get set on Resource Pool (Host and Cluster View) and other things on VMs (Templates and VM Views) make sure you use the correct view when setting permissions.

Best regards,

Edward

So if at Level 2 of the branch you have R/O and at Level 4 you have VM user, the Level 2 setting of R/O is what is used.

Sorry, but that is not correct.

Sticking to r_b's example, to avoid any confusion, if R/O is applied to a user/group at MyDataCenter, then VM User is applied to the same user/group at DCs Resource Pool, the VM User permission will apply to DCs Resource Pool - not the most restrictive.

If applied in the reverse direction, then yes, the R/O permission applies, not because it is most restrictive, but due to proximity rules.

The issue is only with access via the web service to the VC server. Through VI, it behaves as it should.

I've done some more playing around with it. From what I can tell, it works fine, as long as you set the "Virtual Machine User" role on the VM within the resource pool FIRST, then you can set whatever you want at the resource pool level and it will continue to work.

I wouldn't think this is by design. This is fine if you have 1 VM, but would be a pain if you had a bunch of VMs within a resource pool. Seems like the whole concept of propogation seems to be askew.

R_B