Dave thanks for the reply.  Yes I've tried applying those permissions just at the host level.  What I apply at the host level does not apply to VMs within the resource pool unless the access rule has the propagate checkbox enabled.  It's a catch 22 because as soon as propagation is enabled permission works but I can see all of the resource pools. Must be something I'm missing here, I'm doing something dumb.

Did you manage to get this working iLikeMoney? I've got a similar problem - my AD account is set as administrator on a VM cluster (but not for the whole Data Center of course). Curiously I can configure vSwitches on hosts within the cluster fine (and presumably even delete them), but then when it comes to VMs I cannot allocate a VM's NIC to a network on a vSwitch - it just has the yellow "!" triangle instead of the drop-down list of available networks. (vSphere client is 4.1.0 and the hosts are running ESXi 4.1U1 build 348481)

Any ideas?

Simon

No unfortunately I never found a solution for this.  It continues to impact my team to this day as I have refused to grant permissions to users at the datacenter level otherwise they have full view of all VMs on the host.  The change in network connection issue I can tolerate as generally we don't have to change this, however the attaching an iso issue impacts us weekly. I may be getting access to vCenter soon and I don't know if that will help but even on the free stuff this should be possible to do the right way, I think it needs to be addressed by vmware.

Put your ISO's on a network share and use a virtual CD app insided the OS.

http://support.microsoft.com/kb/916902

http://static.slysoft.com/SetupVirtualCloneDrive.exe

iLoveMoney: thanks for the update - seems a bit odd that it doesn't work as I would have thought it was a very common requirement. E.g. a data center has a bunch of servers, some in a production cluster, some in a test cluster. Your Production Administrator wants to let the Test environment Administrator do all the leg work on the test severs (but not give them any access to production of course).

I wonder if this is only a problem with MS AD users? Or a version compatibility issue? I tried updating my vSphere client (to 4.1 build 345043) but notice the vCenterServer is older (4.1.0 build 258902) - could the version of vCenter be the problem?

Thanks for the workaround suggestion.  I am aware of freeware utility apps such as magicdisc, the one you're pointing me to I didn't know about.  However my position on it is that I already have a virtual cd rom drive on the VM and I should be able to allow this at the vSphere client through user specific permissions at the resource pool level without introducing additional software on clean OS test images.... The vSphere client has to have some perks like this otherwise we might just as well go back to remote desktoping end-users into the VMs and get away from the vSphere client altogether.  Maybe my usage scenario isn't so ordinary, not sure what others are doing with respect to the vSphere client. By and large RDP is ok, I just wanted to provide a bit more of a sense of control for start up shutdown, reconfiguration etc but with limitations like this I'm not sure how worth it it's been for us. I have not rolled it out to everyone yet but this is the feedback I've heard...

While you can't get away without having the vSphere I would much rather have direct access to the client for day to day operations. The vSphere client is far too slow by comparison to RDP but that is just me.

You can still use a share with the vSphere client. Use connect to an iso image on a local disk and point to the network share.