12 Replies Latest reply on Feb 6, 2013 12:57 PM by jribero

    User permissions in ESXi 4.1

    roadgeek Novice

      Here is my scenario: Using ESXi 4.1 standalone (no vCenter) I want to give a specific local user (steve) administrative access to his own resource pool, but not give him access to any other virtual machines or resource pools.  Let's say I have the following structure:

       

      esxi-02 system

      -Production Resource pool

      -- Production system 1

      -- Production system 2

      -Steve Sandbox Resource Pool

      -- Steve Sandbox system 1

      -- Steve Sandbox system 2

       

      In this case, I want to let steve log in and manage his resource pool, but I don't want him to be able to see the production resource pool or any systems in other pools.  He should be able to create and remove VMs within his resource pool; essentially full administrative access.

       

      So, here's what I've done in an attempt to achieve this:

       

      1. Create the user 'steve'.
      2. Clicked on the "esxi-02" 'root' and the permissions tab, and added user 'steve' as role "Administrator", unclicking the "propagate permissions" checkbox.
      3. Clicked on Steve Sandbox Resource Pool and over to the permissions tab.  Here, I added 'steve' as role "Administrator" and this time I did click the "propagate permissions" checkbox.

       

      Now, this almost works; steve can log in and see only his resource group and systems.  Further, he can access the systems console, start and stop VMs, create snapshots, etc.  However, when he goes to create a virtual machine, he gets an error:

       

      "You do not have the privilege 'Virtual machine > Inventory > Create new' on the selected Host."

       

      This is confusing, since on both levels, 'steve' has administrative access.  What am I doing wrong?   Thanks for your help.

        • 1. Re: User permissions in ESXi 4.1
          sflanders Master
          vExpertVMware Employees

           

          What happens if you propagate administrator rights from the host?

           

          By no vCenter Server do you mean the host is completely separate and unmanaged or that you are logging into the ESXi host directly, but the host is still part of vCenter Server?

          • 2. Re: User permissions in ESXi 4.1
            roadgeek Novice

            Hi,

             

            If I propagate Adminstrative privileges from the host, then steve has full access to all systems and resource pools, which is more access than I want him to have.

             

            By no vCenter, I mean the host is completely isolated with no vCenter in the picture; it's a single ESXi 4.1 system running in our lab that I'm managing directly.

             

            Thanks!

            • 3. Re: User permissions in ESXi 4.1
              4nd7 Enthusiast

              Hi,

               

              Please create a new role with the following permissions:

              Datastore -> Allocate space

              Virtual Machine -> Configuration -> Add new disk

              Virtual Machine -> Configuration -> Add or remove device

              Virtual Machine -> Inventory -> Create new

              At the host level assign steve the new role and propagate to child objects. At the resouce pool level add steve with the admin role.

              The only problem I see with this solution is that you will need to have all your machines in resource pools and not at root level, because steve will be able to add disks to those machines.

               

              Let me know if it worked for you.

               

              Thanks!

              • 4. Re: User permissions in ESXi 4.1
                roadgeek Novice

                4and7,

                 

                Thank you very much for your reply!  I've tried this, and now steve can create VMs in his resource pool.  The only problem is, he can also see all other resource pools and the systems in them, as well as edit/add devices to them.  Any ideas?  Thank you again for your reply!

                • 5. Re: User permissions in ESXi 4.1
                  bulletprooffool Virtuoso

                  If he was able to fllow the wizard )before 4and7's change) but got a permission problem on storage, then all he reall yneeded in addition to the rights you originally assigned was :

                   

                  Datastore -> Allocate space  (For any Datastores on which he will build VMs)

                  • 6. Re: User permissions in ESXi 4.1
                    4nd7 Enthusiast

                    Hi roadgeek,

                     

                    You can add steve's account with no access on the intended resource pools.

                     

                    Thank you!

                    • 7. Re: User permissions in ESXi 4.1
                      Pioneer-vmware Lurker

                      I have something similiar and it has only showed up since I have upgraded to 4.1

                       

                      I have a ESXi 4.1 host used for testing/lab purposes which I have permissioned for certain individuals, giving them pretty much full admin permissions.

                      However since I upgraded Virtual Center and the host to 4.1 these Lab admins can no longer create new virtual machines.

                       

                      You get the error "You do not have the privilege 'Virutal machine > Inventory > Create new' on the selected Datacenter"

                       

                      So it seems I now have to also permission the whole Datacenter with these rights to allow them just to create a VM in that one host.

                       

                      I don't really want to put in this extra permissioning as it seems unnecessary and it wasn't an issue prior to the upgrade

                       

                      thanks

                      • 8. Re: User permissions in ESXi 4.1
                        DinamiQs Lurker

                        Instead of adding the permissions on the datacenter, you can add them on the host or multiple hosts.

                        Then they will not see the other resourcepools

                        • 9. Re: User permissions in ESXi 4.1
                          roadgeek Novice

                          Erik,

                           

                          Do you know if this can be done with a standalone ESXi 4.1 system (no vCenter, local authentication)?

                           

                          Thank you!

                          • 10. Re: User permissions in ESXi 4.1
                            DinamiQs Lurker

                            Dear roadgeek,

                             

                            Im a little bit confused now because on stand alone ESXi host you can not have resourcepools.

                            You can set permissions on single ESXi or ESx hosts without vCenter, but you will not be able to create resourcepool or even use them.

                            • 11. Re: User permissions in ESXi 4.1
                              Rob-SSE Expert

                              ErikW wrote:

                               

                              Dear roadgeek,

                               

                              Im a little bit confused now because on stand alone ESXi host you can not have resourcepools.

                              You can set permissions on single ESXi or ESx hosts without vCenter, but you will not be able to create resourcepool or even use them.

                              You can create resource pools in a standalone ESXi 4.1 host. You can also create custom roles.

                               

                              Regarding the permissions:

                              One solution is to grant the user the full Administrator role at the top level with propagation enabled.  Then grant "No access" to explicitly deny access on the resources that you don't want that user to have rights to.

                              • 12. Re: User permissions in ESXi 4.1
                                jribero Lurker

                                Update on this.

                                 

                                I have been trying to delegate only a cluster to others in my company (vCenter 5.1).

                                 

                                I have assigned permissions to:

                                - Cluster, with a single ESX host under it (obvious)

                                - A datastore, which happens to be on the host (local disk)

                                - Networks:  I wanted to give them a choice of networks, so under "Networks" I created a folder, placed all the networks under this folder, and assigned permissions to the folder

                                 

                                - Lastly, and this was the one that solved it for me, I created a folder under the "machines and templates" view, and gave permissions there.

                                I think this was the one holding me back.

                                In "hosts and clusters" view, and new VM created is placed in the root of your datacenter (wizard doesn't allow you to choose a folder).

                                I did not want to give out permissions at the datacenter level.

                                 

                                The instructions I gave to users was to first switch to machines and templates view.  From their login, they only see their folder.

                                Select your folder, then start the new virtual machine wizard.

                                 

                                Hope this helps,

                                Ribs