VMware Cloud Community
roadgeek
Contributor
Contributor

User permissions in ESXi 4.1

Here is my scenario: Using ESXi 4.1 standalone (no vCenter) I want to give a specific local user (steve) administrative access to his own resource pool, but not give him access to any other virtual machines or resource pools.  Let's say I have the following structure:

esxi-02 system

-Production Resource pool

-- Production system 1

-- Production system 2

-Steve Sandbox Resource Pool

-- Steve Sandbox system 1

-- Steve Sandbox system 2

In this case, I want to let steve log in and manage his resource pool, but I don't want him to be able to see the production resource pool or any systems in other pools.  He should be able to create and remove VMs within his resource pool; essentially full administrative access.

So, here's what I've done in an attempt to achieve this:

  1. Create the user 'steve'.
  2. Clicked on the "esxi-02" 'root' and the permissions tab, and added user 'steve' as role "Administrator", unclicking the "propagate permissions" checkbox.
  3. Clicked on Steve Sandbox Resource Pool and over to the permissions tab.  Here, I added 'steve' as role "Administrator" and this time I did click the "propagate permissions" checkbox.

Now, this almost works; steve can log in and see only his resource group and systems.  Further, he can access the systems console, start and stop VMs, create snapshots, etc.  However, when he goes to create a virtual machine, he gets an error:

"You do not have the privilege 'Virtual machine > Inventory > Create new' on the selected Host."

This is confusing, since on both levels, 'steve' has administrative access.  What am I doing wrong?   Thanks for your help.

Reply
0 Kudos
12 Replies
sflanders
Commander
Commander

What happens if you propagate administrator rights from the host?

By no vCenter Server do you mean the host is completely separate and unmanaged or that you are logging into the ESXi host directly, but the host is still part of vCenter Server?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
roadgeek
Contributor
Contributor

Hi,

If I propagate Adminstrative privileges from the host, then steve has full access to all systems and resource pools, which is more access than I want him to have.

By no vCenter, I mean the host is completely isolated with no vCenter in the picture; it's a single ESXi 4.1 system running in our lab that I'm managing directly.

Thanks!

Reply
0 Kudos
4nd7
Enthusiast
Enthusiast

Hi,

Please create a new role with the following permissions:

Datastore -> Allocate space

Virtual Machine -> Configuration -> Add new disk

Virtual Machine -> Configuration -> Add or remove device

Virtual Machine -> Inventory -> Create new

At the host level assign steve the new role and propagate to child objects. At the resouce pool level add steve with the admin role.

The only problem I see with this solution is that you will need to have all your machines in resource pools and not at root level, because steve will be able to add disks to those machines.

Let me know if it worked for you.

Thanks!

Reply
0 Kudos
roadgeek
Contributor
Contributor

4and7,

Thank you very much for your reply!  I've tried this, and now steve can create VMs in his resource pool.  The only problem is, he can also see all other resource pools and the systems in them, as well as edit/add devices to them.  Any ideas?  Thank you again for your reply!

Reply
0 Kudos
bulletprooffool
Champion
Champion

If he was able to fllow the wizard )before 4and7's change) but got a permission problem on storage, then all he reall yneeded in addition to the rights you originally assigned was :

Datastore -> Allocate space  (For any Datastores on which he will build VMs)

One day I will virtualise myself . . .
Reply
0 Kudos
4nd7
Enthusiast
Enthusiast

Hi roadgeek,

You can add steve's account with no access on the intended resource pools.

Thank you!

Reply
0 Kudos
Pioneer-vmware
Contributor
Contributor

I have something similiar and it has only showed up since I have upgraded to 4.1

I have a ESXi 4.1 host used for testing/lab purposes which I have permissioned for certain individuals, giving them pretty much full admin permissions.

However since I upgraded Virtual Center and the host to 4.1 these Lab admins can no longer create new virtual machines.

You get the error "You do not have the privilege 'Virutal machine > Inventory > Create new' on the selected Datacenter"

So it seems I now have to also permission the whole Datacenter with these rights to allow them just to create a VM in that one host.

I don't really want to put in this extra permissioning as it seems unnecessary and it wasn't an issue prior to the upgrade

thanks

Reply
0 Kudos
DinamiQs
Contributor
Contributor

Instead of adding the permissions on the datacenter, you can add them on the host or multiple hosts.

Then they will not see the other resourcepools

Reply
0 Kudos
roadgeek
Contributor
Contributor

Erik,

Do you know if this can be done with a standalone ESXi 4.1 system (no vCenter, local authentication)?

Thank you!

Reply
0 Kudos
DinamiQs
Contributor
Contributor

Dear roadgeek,

Im a little bit confused now because on stand alone ESXi host you can not have resourcepools.

You can set permissions on single ESXi or ESx hosts without vCenter, but you will not be able to create resourcepool or even use them.

Reply
0 Kudos
Walfordr
Expert
Expert

ErikW wrote:

Dear roadgeek,

Im a little bit confused now because on stand alone ESXi host you can not have resourcepools.

You can set permissions on single ESXi or ESx hosts without vCenter, but you will not be able to create resourcepool or even use them.

You can create resource pools in a standalone ESXi 4.1 host. You can also create custom roles.

Regarding the permissions:

One solution is to grant the user the full Administrator role at the top level with propagation enabled.  Then grant "No access" to explicitly deny access on the resources that you don't want that user to have rights to.

Robert -- BSIT, VCP3/VCP4, A+, MCP (Wow I haven't updated my profile since 4.1 days) -- Please consider awarding points for "helpful" and/or "correct" answers.
Reply
0 Kudos
jribero
Contributor
Contributor

Update on this.

I have been trying to delegate only a cluster to others in my company (vCenter 5.1).

I have assigned permissions to:

- Cluster, with a single ESX host under it (obvious)

- A datastore, which happens to be on the host (local disk)

- Networks:  I wanted to give them a choice of networks, so under "Networks" I created a folder, placed all the networks under this folder, and assigned permissions to the folder

- Lastly, and this was the one that solved it for me, I created a folder under the "machines and templates" view, and gave permissions there.

I think this was the one holding me back.

In "hosts and clusters" view, and new VM created is placed in the root of your datacenter (wizard doesn't allow you to choose a folder).

I did not want to give out permissions at the datacenter level.

The instructions I gave to users was to first switch to machines and templates view.  From their login, they only see their folder.

Select your folder, then start the new virtual machine wizard.

Hope this helps,

Ribs

Reply
0 Kudos