I deleted a previous thread related to this issue as it hadn't received any responses and I have some more details to provide.
We are running ESXi 5.1 on three clusters and manage them via VCenter. Traditionally we've used the normal vSphere for end-users to power on/off their VMs, but we are trying to move everyone to the vSphere Web Client. Unfortunately we've run into some issues that I'm hoping someone here can assist with.
The structure is pretty simple - two data centers, the three clusters divided between those and then resource groups under each of those which is where we apply our security settings. The security is very simple - one security level applied at the resource level using AD groups as the members. This has worked fine with the vSphere client and continues to work fine.
The problem we're running into us users receive the following error message when trying to power on VMs via the vSphere web client:
*****
The "Power on virtual machine" operation failed for the entity with the following error message.
Virtual machine cannot be found.
*****
After a long string of experiment I've figured out that if I apply the same security at the data center level everything works fine for the end-user. If I apply it at the cluster or resource group level they receive the error.
I tried applying a read-only (non-propigating) permission at the data center and cluster level and then appropriate permissions at the resource group, but that made no difference.
Can anyone explain to me what might be happening? I don't see anything interesting in the logs and am at a loss on how to troubleshoot this one.
Is DRS setting in cluster Level is set to fully automated?
Yes - it is set to fully automated.
Anyone? Could really use a little help on this...
When a VM is powered on, the target object is the data center for that operation. That might explain the behavior you're seeing with the permissions. Beyond that, I don't have a good answer as to why the web client is behaving different, since permissions are enforced server-side.
Are you truely using the resource groups, or are you using them as a means of logically grouping your servers? If the latter, can you try creating VM folders, and apply permissions on the folders, then see if it works?
I have the same problem with web client. I set read only permission on datacenter and admin permision on resource pool to end user. It works fine for vspere client and new vms in web client. But vms in old exsi server get "Virtual machine cannot be found." when power on in web client.
After some trys I find old vms in a folder "Discovered virtual machine" in "VMs and Templates" view. After set read only permission on "Discovered virtual machine" folder, everything is ok now.
I hope this will help.
You are not alone, experiencing the very same issues. Going to log a ticket with VMware. Will post an outcome if permitted.
Hi,
I have a solution for you to try. We create an AD group, then a new role in ESX, attach the AD group on both the cluster and a Folder.
1. First create an AD group and place all the users you want to have control over a cluster only.
Using vSphere Client
2. Home -> Administration -> Roles
Right Click - Add... : Create a new Custom role called "Custom Admins" with 'All Privileges'
3. Home -> Inventory -> Hosts and Clusters --- Permissions tab
Right Click - Add Permission... : Left pane add the AD group which contains the 'Normal Users'. Right pane Assign Role to "Cluster Admins" and make sure you propagate
4. Home -> Inventory -> VM's and Templates
At the Datacentre level : Right Click - New Folder
Important. Move all the virtual machines into there before proceeding.
Highlight the new Folder --- Permissions tab
Right Click - Add Permissions... : Left pane add the AD group which contains the 'Normal Users'. Right pane Assign Role to "Cluster Admins" and make sure you propagate
5. Log out of the Web Client using the logout feature in web client.
Log back in and you should have "Power on" as a menu item available for the virtual machine which now should also work for you.
This is not from VMware Support this is from me messing around so proceed at your own risk.
Let me know how you get on and Good luck !!!
Just to add a bit of clarification since there are partial answers.
Issue: For some reason, web client requires access to Home->Inventory->VMs and Templates and "folders" within it.
Cause: If an upgrade is performed from an old version of VSphere, we can end up with a folder called "Discovered virtual machine" in Home->Inventory->VMs and Templates. We can also end up with a different folder if one was created manually. Permission is not granted to the folders by default.
Solution:
If the VM is inside a folder, either:
1. Move it to the top level (ie. without the folder)
2. Grant the user read-only access to the folder (do not inherit - ie. "Uncheck Propagate to Child Objects", so that the user cannot see other VMs)
The above fixes the "Virtual machine cannot be found" error.
Easy fix for this:
Roles > select the Role in question > Edit > expand Datastore > select Browse Datastore
Have the user refresh and Power On the VM.
you the thing is here, you need to give permission from resource pool level and folder level as well. it is not enough to give permission from 1 level. so you need to give read only from top and folder as well. and give virtual machine power user permission to virtual machine itself.
To get around this issue we create two roles for each distribution list, one Read Only and one VM User permission (or use whatever permission you would normally assign.)
We assign the read-only permissions to the root level in vCenter and then apply the other role permissions at whatever level that group needs, be it multiple folders, Specific VM objects, etc...
I hope this helps.