Permisions - on folders or resource pools?

Where does everyone set permissions on VM's? We've been using v3 for about a year now. We had set up VM's by project, dumped them into folders, and set permissions on those folders. We recently implemented resource pools. Which, by the way, really helped with increase performance across the board. Well, you can put permissions on resource pools too. I find now that the view I usually look at in Virtual Center is "Hosts and Clusters" rather than "Virtual machines and templates" where you can see folders. Is there any harm in using the resource pools for permissions on VM's? Or, is using both better?

0 Kudos
2 Replies

It can be hard to fully understand and manage permissions in VirtualCenter. It is often unclear what consequences a change will have and you need a lot of testing to not oversee any side effects of permission changes.

We use permissions on folders only. You can also set permissions on resource pools but I would be very careful about mixing both, because this will add even more complexity.

What setup you use depends on what you want to achieve: Folders are for organizational hierarchies only. Inside a datacenter they work independently from the technical hierarchy of hosts, clusters and resource pools. We use folders to group VMs per system type (Unix servers, Windows servers, workstations) and assign folder based permissions to the various teams that need to manage the various machine types.

A common usage scenario for resource pool based permissions is a delegation model where you want other people to manage a pool of (typically limited) CPU and RAM resources completely on their own. This is what the built-in "Resource Pool Administrator" role is for. This way you can e.g. allow someone else to create a theoretically unlimited number of new VMs, but keep them all in the same limited resource pool without touching the resources of all other VMs.

If you want to dive into this subject take a look at these white papers:

Managing VMware VirtualCenter Roles and Permissions[/url]

Resource Management with VMware DRS[/url]

\- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de

Normally I use permissions on folders, so that I can group VMs by project team. If your VMs for a particular project had a reservation or cap, or were all organized with the same shares, then it might be prudent to add permissions to resource pools. That might also be better if you had a particular cost center that paid for a percentage of the hardware/software setup, so then you could allocate the appropriate percentage of resources to that cost center and set up a resource pool. For most situations I have encountered, setting up folder-level permissions is more than enough though.