I was reading today about permissions on different level in virtual center. While reading i was doing many different tests in my tiny lab. I wanted to share my results with you, as there are many different opinions in internet. I thought i will make this little presentation to sort this out.
First of all, check the official vmware documentation about permissions,rights, etc... using this LINK
Lest's start from beggining.
We have virtual center VC, datacenter LAB2, and some esx host called 10.0.0.5 . User "greg" resides in group "leastpriv" and "mostpriv". For group leastpriv will always contain less privileges than mostpriv.
At this moment i have put those two groups privileges(leastpriv with role no access, and mostpriv with Administrator) on a vc level and set them to propagate to lower levels.
We have restricted access to user "greg" giving his group leastpriv no access role on VC level. In the same time we have given him Administrator role by putting his group mostpriv. In that case the sum result of those 2 privileges will equal to LESS restrictive. So the user greg is still able to login to VC, as on the screenshot below and he has administrator role.
Now let's go back to the documentation that about roles,permission... it says:
"If multiple group permissions are defined on the same object and the user belongs to two or more of those groups, two situations are possible:
If no permission is defined for the user on that object, the user is assigned the set of privileges assigned to the groups for that object.
If a permission is defined for the user on that object, the user's permission takes precedence over all group permissions."
So we have here situation where we have added 2 groups where our user "greg" is. No user permission was defined on the object. In that case as the document says, we get the set of privileges assigned to the groups for that object. So, some people may thin that we would receive least permissions here, but no, we get the whole set which results in LEAST restrictive privileges. Let's see what happens next.
We have decided for some reason to give our user greg, 'no access' role to the host 10.0.0.5. We have placed this user level privilege directly on our esx object.
User Greg will have now "no access" to the host. As per vmware documentation, when a user-level privilege is set on a object which has also some group-level privilege in place, the user-level will take place. Our user had an Admin and No access, privileged on the host, both were defined on VC, and they have propagated to our esx object. But when we will specify a privilege for user, his rights that came from groups doest not count anymore.
Now let's add some things.
We have created some vm folders. We can see that user "greg" can acess them, and as we know he has effective Adminsitrator role(i have removed the no access on host for him from example#1).
We have given Read-Only role for leastpriv group. User greg can only view contents of the folder vmfolder2. This role is more important here than the administrator rol that is on the mostpriv group, because this privilege was set on the child object. As per documentation, when you have a privilege on group that is propagatating the from the parent to child, and the child has defined another privilege on it directly. The childs prvilige will take place. In our case, "greg" will not have the adminsitrator anymore on vmfodler2.
Don't get confused by active option "Create new virtual machine".
If you will click it , you will get an error. Our user, have read-only access there.
So here, we have defined leastpriv group on a folder vmfolder2 level with a read-only. Greg could not create any vms in that folder, but he still has administrator privileges in vms that are residing in this folder. As per screenshots we have here group leastpriv that was defined on folder level and the mostpriv which was defined on vc level. As i was previously writing, in this situation we will have effective privileges of the group set in which greg resides. So why this situation is wrong ? Well, that's because setting administrator priviliges on VC level is not a best idea. If you will put many different groups on VC level with administrator privileges and set them to propagate, you can loose hours,days to find out why some user has still access to something. You should set only trusted administrators group on VC level as they are gaining also specific rigths on the root level like custom fields, licenses, roles, sessions, statistic intervals.
I have set leastpriv group with read-only rights on vmfolder2 level. All vms in that folder for greg should be now read-only. As do not have any other permissions propagating for us from upper levels. I have also set on the vm2 object directly , his group mostpriv with Administrator privileges. Now Greg can fully administrate vm1, and has only read-only access to vm1. Group mostpriv is attached directly to vm2 which is child of its parent(vmfolder2). When attaching some role to child directly, it will ignore roles that were propagated to it.
Let's make something more weird
Now, few seconds ago greg was Administrator, but now he has no access role. Once again, this happend because, even if other group is giving the user some Administrator ritgts(mostpriv) that is attached directly on the object, which ignores the limitation of group leastpriv(which was propagating its priviliges to child), still when you will attach privilege directly on child using a USER-level privilege, then the user selected privilige will be used.
I know it's long and it might seem complicated, but i tried very hard to explain this ;). For me reading vmware documentation few times worked best. I tried to read serveral different documents, but after reading vmware guide i finally understood it. What's worth also mentioning:
Most inventory objects inherit permissions from a single parent object in the hierarchy. For example, a datastore inherits permissions from either its parent datastore folder or parent datacenter. Virtual machines inherit permissions from both the parent virtual machine folder and the parent host, cluster, or resource poolsimultaneously. To restrict a user’s privileges on a virtual machine, you must set permissions on both the parentfolder and the parent host, cluster, or resource pool for that virtual machine.
That's from the vmware guide, also in this guide(i posted link in the beggining of the post), you will find great diagram of vSphere inventory hierarchy, and how objects can propagate permissions.
It's 3 am now, so i know i made a lot of typos and so on.. Will try to correct the tomorrow.
Please do comment, or write me a message if you think something might be wrong what i have written, or if have confused you even more ;]