Re: Minimum permissions for a user to clone a VM

Dagnabbit · ‎11-21-2008

I've been struggling with this- ensuring that our users have the minumum permissions on our ESX VC system. When we first set up our first ESX cluster and VC, we gave everyone VM Admin permissions on their own folders and VM's, as well as VM Admin privs on the datacenter, cluster and host server (without propagating thos permissions past past the host server). This allows users to mess with VM advanced settings, like CPU affinity, which screws up Vmotion on the ESX cluster. So, what I've done is clone the VM Admin role and remove anything that allows the user to edit advanced settings on the VM, or anything on the host except create/remove VM's. So far, All of the users can edit their VM's (but not the advanced settings), take and manage snapshots- they can do everything they need except clone a VM.

The way permissions are set up: put the most permissions at the top of the heiarchy, and then limiting them as you drill down the ladder (something VMware tech support had us do when we initially set up our system two years ago). For the sake of the explaination, we'll call my altered VM Admin role as Company User.

On the Hosts and Clusters view, the typical user has Company User privs On the Hosts and Clusters object, which is propogated down to the datacenter object, cluster object and host server objects. At the Host server, the role is changed to not propogate any further. On any datacenterthat the user is not supposed to access, the permissions are change to "no access".

On the Folders and Templates view, the Company User role is assigned to the user at the Folder and Templates object, and allowed to propogate down through the datacenter object. On each of the folders under the datacenter object, the user is either change to "no access" if they're not supposed to access that folder, or the permission is allowed to propogate.

Here's the permissions I have set up on the Company User role:

Global

Cancel Task

Host

Local Operations

Create Virtual Machine
Delete Virtual Machine

Virtual Machine

Inventory

Create
Remove
Move

Interaction

Power On
Power Off
Suspend
Reset
Answer Question
Console Interaction
Device Connection
Configure CD Media
Configure Floppy Media
Tools Install

Configuration

Rename
Add Existing Disk
Add New Disk
Remove Disk
Change CPU COunt
Memory
Add/Remove Device
Modify Device Settings
Settings
Upgrade Virtual Hardware
Reset Guest Information

State

Create Snapshot
Revert Snapshot
Remove Snapshot
Rename Snapshot

Provisioning

Custommize Clone
Clone
Create Template from VM
Deply Template
Clone Template
Mark as template
Mark as virtual machine
read customization specifications
Allow Disk Access

Resource

Migrate
Relocate

Scheduled Task

Create Tasks
Remove Task
Run Task
Modify Task

Finally, this is a VirtualCenter 2.5.0 build 104215, and the ESX servers are running ESX 3.5.0 build 120512

RParker · ‎11-21-2008

You are overthinking this. You have to apply Admin priveleges to the top level object, either ESX host or Cluster. don't propagate the permissions, only give them access to that object only. Then go down where they need access to the container, either pool or VM level, and apply appropriate VM user / Admin / Power user with those permissions included.

That should work. When you give a person to JUST an object, there is no inheritance, and that top level object has no way to let them see the disks, which is why they can't deploy. but giving them access at the top level then changing access on the actual object later will fix this.

hicksj · ‎11-21-2008

I don't think Dagnabbit is overthinking this, but was lead down the wrong path initially by tech support. This end goal is what everyone's should be, to provide "minimum" permissions. Using "no access" to manage permissions is an absolute nightmare.

Now, I don't see an actual question in your post, but from the subject, it appears your specific question is how do I assign cloning permissions? In your current config, I don't know. From a scratch config, I believe you need a role with at least the following privileges:

VM -> Inventory -> Create
VM -> Interaction (all)
VM -> Provisioning -> {Deploy Template, Clone, Customize Clone}
Resource -> Assign VM to Resource Pool

Then assign this role to the Resource Pool you'll allow the users to create/manage their VM's. You also must assign the role to a Folder, where the users will be able to place their VMs. You may also want to create a role that provides access to the Customization Specifications, if they'll need to customize clones during deployment. VM -> Provisioning -> Read Customization Specifications, assing at root of Hosts & Clusters (no prop).

wsaxon · ‎01-21-2009

I just found this guide, which was helpful for setting permissions to allow VM creation. It looks like there are several other minimum permission scenarios as well.

It would be really nice if there was a more official VMWare-published guide for all of this stuff. I haven't done an exhaustive study, but there does not appear to be an easy way to determine which permissions are being checked and for what objects during a particular operation. Something like that would take away all the guesswork.

http://viops.vmware.com/home/docs/DOC-1211

stratolynne · ‎07-13-2010

Just wondering any new updates to this discussion in regards to VMware guidelines for minimum permissions?

Also, I tried to get to the document above could not find it.

Thanks

Almero · ‎05-06-2016

Hi Guys , I can see its an old post , but for next visitor . Full list here

vSphere Documentation Center

shaferc1 · ‎11-17-2016

That was just what I needed. For future visitors, the reference is to the vSphere 5 documentation so below is the URL to the vSphere 6 documentation:

VMware vSphere 6.5 Documentation Library