bennid
Contributor
Contributor

VCenter: User in multiple groups with different permissions getting smallest permissions

Jump to solution

Hello,

We've finally hit the usage of our VCenter setup where we need to start using group permissions instead of individual user permissions.  I've setup multiple groups (QA, Automation, App, VCenter Users, and Administrators) for our users.  However -- I've run into an issue where a user should be in QA, Automation, and Administrators, and I set appropriate permissions on a resource pool (QA - Read-only, Automation and Administrators full control).

When logging in as the user, it's like VCenter defaults to the *least* permissions for the object being checked, and the user only has read-only for the resource pool (and propogated items).  Is this expected behaviour for vcenter and permissions?  I'd assume that the user should get the highest permissions for all the groups they're in.

Thanks,

Ben

Tags (3)
0 Kudos
1 Solution

Accepted Solutions
Troy_Clavell
Immortal
Immortal

if you are setting permissions on the vCenter level, then yes, you'll have to uncheck the Propagate to Child Objects.  What you can then do is add permissions onto each individual resource pool.

Is the ultimate goal only to allow these select members to have access to the Resource pools, not the entire VI?

View solution in original post

0 Kudos
7 Replies
Troy_Clavell
Immortal
Immortal

this is by design.  You can have mutliple users part of multiple AD groups and add them using the Hosts & Clusters View, and the highest permissions win.  However, when you start adding permissons to individual resources pools, or folders in the VM & Templates view, most restrictive wins.

I was doing a demo last week and added myself into and AD group and attached that AD group to a folder in the VM & Templates view... therefore locking myself out... Fun!! Tooks a few minutes for me to realize what I had done....

0 Kudos
bilalhashmi
Expert
Expert

The user will get the least common previlege. This is by design and if you think about it, it makes most sense. Bsides, if this user is memeber of th Admin group, why add him anywhere else if you want him to have all the permissions?

Follow me @ Cloud-Buddy.com

Blog: www.Cloud-Buddy.com | Follow me @hashmibilal
Troy_Clavell
Immortal
Immortal

let me clarify my statement a bit... If you are a member of two AD groups and you are part of a role that is more restrictive than say the Administrator role and you add both AD groups at the same level, permissions are combined therefore least restrictive wins... However if they are not added at the same level, most restrictive wins.... Hope that helps a bit more.

bennid
Contributor
Contributor

Hi Bilal,

Yes -- this makes sense for Administrator -- however, say the user was only a member of QA and Automation, and QA had admin privs on 4 pools, and automation has admin privs on 4 other pools.  I'd want that user to have privs to all 8 pools, instead of none of them.

I know I can put individual permissions on those resource pools, but if we have 10 people in qa, and 6 in automation, that seems like an awful lot of work for something the groups (in theory) should be able to take care of.

-Ben

0 Kudos
bennid
Contributor
Contributor

Hi Troy,

I actually 'propogated' all the permissions down, so I cannot just 'remove' the qa from the automation resource pool and vice versa (it defaults to Administrator).  It's probably an odd setup where most resource pools will be admin for qa except for a select few that I only want automation to be able to access.  Is there a better way to attack the pools / access (as well as a datastore) for these two groups and people who would belong to both qa and automation?

Thanks,

Ben

0 Kudos
bennid
Contributor
Contributor

To give some more detail -- I added permissions for the QA group at the root VCenter Server object as Administrator and propogated that permission.  I then went to the "automation" resource pool, and gave the Automation group Administrator permissions on that pool, and was forced to set the QA group to either no access, or "read-only".  I couldn't have the permissions simply 'ignore' the qa group for that pool.  The example I gave before is the one that's most pertinent:

root (QA Admin)

+ rp1 (QA Admin)

+ rp2 (QA Admin)

+ rp3 (Automation Admin)

+ rp3 (QA Admin)

+ rp4 (Automation Admin)

If I have a user in both groups, what would be the easiest way of doing this?  Do I have to disable "propogate" and do every single resource pool?

Thanks again,

Ben

0 Kudos
Troy_Clavell
Immortal
Immortal

if you are setting permissions on the vCenter level, then yes, you'll have to uncheck the Propagate to Child Objects.  What you can then do is add permissions onto each individual resource pool.

Is the ultimate goal only to allow these select members to have access to the Resource pools, not the entire VI?

View solution in original post

0 Kudos