vCenter

 View Only
Expand all | Collapse all

VC rights

  • 1.  VC rights

    Posted Mar 13, 2008 02:27 PM

    trying to create a roll where a group of users are just able to power on, reset, and turnoff vms. also would like these users to be able to attach there cdrom from there pc to the vm. does anyone know exactly which rights the need to attach local cd-rom to vm?



  • 2.  RE: VC rights

    Posted Mar 13, 2008 03:34 PM

    That is the "Virtual Machine User" That one has these previledges

    Power On

    Power OFF

    Suspend

    Reset

    Answer Questions

    Console

    Device connection

    Configure CD

    Configure Floppy

    Tools install

    Just what you listed... :smileywink: you can off course make your own role and take out some of the priviledges.

    br

    lars

    If you found this information usefull please award points.



  • 3.  RE: VC rights

    Posted Mar 13, 2008 03:44 PM

    nope

    get permission to perform this operation was denied



  • 4.  RE: VC rights

    Posted Mar 13, 2008 03:53 PM

    Hmm works fine for me..

    Did you set these on the host or on the Vms ?

    Since these priviledges are pure VM Guest rights make sure to set these on the VMs. In the Vitual machine and template view. We set it on a folder there and then add VM's in here...



  • 5.  RE: VC rights

    Posted Mar 13, 2008 03:59 PM

    what i have is 4 datacenters

    in one of the datacenters there is cluster a and cluster b

    i want this rights to apply to certain users and only aplly it to cluster b because thoes users only need to see cluster b



  • 6.  RE: VC rights

    Posted Mar 13, 2008 04:27 PM

    Do you have any builtin groups assigned to your objects that are inheriting rights? Like the users group.

    You need to keep in mind that if a user is a member of two groups then the roles are unioned and then applied. These can be overriden at the object level.



  • 7.  RE: VC rights

    Posted Mar 13, 2008 03:58 PM

    What groups and roles are applied to the object, you may be experiancing a permissions override at the object level.



  • 8.  RE: VC rights

    Posted Mar 13, 2008 04:01 PM

    Try to create a group with Read only access and no Propagate on the "root" object in VC (Host and clusters view).

    edit

    (And ofcourse add the users to the group :smileyhappy:



  • 9.  RE: VC rights

    Posted Mar 13, 2008 04:07 PM

    No don't do that! We don't know how it is setup yet.

    Let's find out what is configured first.



  • 10.  RE: VC rights

    Posted Mar 13, 2008 04:10 PM

    Fully agree with Mike!

    KJP - WHY would you suggest this? What are you trying to accomplish?



  • 11.  RE: VC rights

    Posted Mar 13, 2008 04:15 PM

    i am trying this with a test account

    i gave my test account read only at the object layer of the cluster within the datacenter and still no luck



  • 12.  RE: VC rights

    Posted Mar 13, 2008 04:17 PM

    to solve the problem with "premission denied" when you add userright "virtual machine user" and tty to mount the cdrom on an vm.

    is there any other way?? (belive this is an BUG in VC..)

    i got it from this post org... http://communities.vmware.com/message/862964#862964



  • 13.  RE: VC rights

    Posted Mar 13, 2008 04:25 PM

    There are some permission related bugs in VC 2.5. One fix we got from VMware Support that resolved (some) of our issues is to apply the role "Virtual Machine Power User" at the "Host and Clusters" folder level for the group in question. MAKE SURE to uncheck the propagate permissions box, you only want this to apply on the hosts and clusters folder.

    Don Pomeroy

    VMware Communities User Moderator



  • 14.  RE: VC rights

    Posted Mar 13, 2008 04:28 PM

    Yep, thats the way i had to solved it, only i used the "Read-Only" role, works fine so far.



  • 15.  RE: VC rights

    Posted Mar 13, 2008 04:31 PM

    Thats interesting, did you get "read only" from VMware Support, or your own trial and error?

    Don Pomeroy

    VMware Communities User Moderator



  • 16.  RE: VC rights

    Posted Mar 13, 2008 04:35 PM

    see last post at link i posted, he added read-only rights so i did the same thing



  • 17.  RE: VC rights

    Posted Mar 13, 2008 04:40 PM

    Hello,

    I'm not saying it is wrong. We just need to know what's there before changing it. Rights can disable everything if not applied carefully.

    I have had to do a simmilar change on mine.



  • 18.  RE: VC rights

    Posted Mar 13, 2008 05:03 PM

    resolved



  • 19.  RE: VC rights

    Posted Mar 14, 2008 12:32 PM

    What did you do to solve it?



  • 20.  RE: VC rights

    Posted Mar 14, 2008 12:32 PM

    What did you do to solve it?



  • 21.  RE: VC rights

    Posted Mar 14, 2008 12:37 PM

    what mike suggested

    i had to clone read only rights, apply it to host and clusters no propagate and go to intevention and cdrom access and add the groups to that role



  • 22.  RE: VC rights

    Posted Mar 17, 2008 11:13 PM

    Tried this and now users can see the cluster information - host, DRS, Task & events.

    In a hosting environment this is not good. I'll log a support call for a fix or work around



  • 23.  RE: VC rights

    Posted Mar 18, 2008 03:57 AM

    This post went of line so to clarify what was discussed I will post the action items.

    Clone the readonly role and enable the Virtual Machine->Interaction->Device Connection permission.

    Create a group either AD or local with an AD group in it and assign this Group+Role to the Hosts and Cluster level without propagation.

    This assignment itself will not grant any visibilty to VM's hosts or clusters because it is not propagated.

    I have tested it.



  • 24.  RE: VC rights

    Posted Mar 18, 2008 05:33 AM

    Thanks Mike,

    Just tested the setup and tested with a user who is a member of that domain group.

    At the root of the cluster I can see all the TABs. Remove the group from the Cluster Root permissions and the view changes to "Your do not have permission to access this object"

    With the above settings, still getting "Permission to perform this operation was denied" when the user has "Virtual Machine Power User" rights to the VM.

    Still waiting on VMware support.



  • 25.  RE: VC rights

    Posted Mar 18, 2008 06:07 AM

    In addition to the what I suggested for the original post an AD group was already created and applied at the Cluster level granting the group a cloned Virtual Machine User role with the connect perm added. This permission was propagated at that level. I would not use builtin groups as they can be trouble in some cases.



  • 26.  RE: VC rights

    Posted Mar 26, 2008 05:49 AM

    Just got an update from VM suppport

    Cause:

    This error was being raised due to a dynamic privileges checking code.

    Solution:

    The code has been rectified, and this issue does not exist in VirtualCenter

    2.5 Update 1.

    Currently engineering is working on this update.with no ETA as of now.



  • 27.  RE: VC rights

    Posted May 05, 2008 09:20 PM

    Yeah, well that's dandy of support to /say/ that but I don't believe it for a moment. I just upgraded to 2.5U1 (84767) and am still sorting through problems that have developed in my previous permission settings in 2.0.1. I have 3 datacenters, 6 clusters spread amongst them, and pretty serious folder structure in the VM view. I grant selective read-only, user, VM admin, and cloning permissions based on groups to different parts of the folder structure and clusters.

    The big headache came when I found that folks with user perms were getting spurious "permission denied" messages even though their actual operations were completing fine. Through observation, we figured out that the error was related to the ESX host name not showing up in the "Host" column or in the title bar of console windows. So I granted DC browser privileges to the ESX hosts and viola! But I'm sure there must be a better way.

    I just wish there was some actual freakin' documentation of how they've adjusted the permissions model. The documentation in the admin guide is a real joke because it fails to illuminate the task permission requirements on different parts of the object model. Even the information I got for VC 1.x and 2.0.x came from the community... so has someone actually sorted this out yet? I'm muddling through for the moment, but it's especially frustrating.



  • 28.  RE: VC rights

    Posted May 05, 2008 10:33 PM

    I'll find out this weekend if SP1 fixes the Cdrom mount permission errors. I have been putting it off, waiting for some community feedback on SP1. From what you are saying the permissions are still not 100% fixed :smileysad:

    richard