I am having a serious issue. We are running a dedicated vSphere environment for a customer. We have created a management resource pool for our vms (SRM, vCenter, PSC and so on) and put the datastores and network into folders on which we set NoAccess to the customers admin and backup groups.
In webclient that works well.
However, the client noticed he is able to backup our vms as well. Upon further inspection, I learned that I can use a restricted user to normally browse our management datastore and list the vms in it.
I seem to be missing some fundamental knowledge here. Do I have to edit an independent set of permissions for PowerCLI?
Regards and thanks,
No, PowerCLI has no permissions, it purely relies on the ones set on the vCenter.
Did you already try setting the NoAccess on the root folder?
You can get that with
$rootFolder = Get-Folder -Name Datacenters
Also note that there are 4 types of folders (Host & Cluster, VM & Template, Storage, Network).
You will have to set permissions on all 4 of these.