Hello all - Another question for everyone. Is there a way to restrict a VDM administrator using the VC roles? Here is what we tried to do:
We set up the permissions for the VDM interprocess commmunications according to the VDM manual, page 31. We also added the proper groups into the Administrators configuration on the VDM server. The problem is we really have two sets of VDM admins, one set with full access (create, delete machines and pools) and another we only want to "support" existing machines (reboot, force disconnects, etc.)
We created a custom role in VC that is a stripped down version of the VDM Admin with only the ability to interact with the VM's. We then added this to an AD Group (VDI Service Desk). We places this into the Administrators group on the VDM server hoping it would be a "restricted" admin.
When we ran the test, the restricted admin could still modify the settings of the pools and create, delete VMs. I suspect there is only one admin level, wide open. Does the VDM let you in if you are an admin and then use the interprocess communications id for all tasks?
Is the level of security presented here possible?
Thank you!
Aaron Delp
Hi Aaran,
There are no granular permissions in VDM Admin in VDM 2.0, in fact the user account used to set up communication with VC is used for all actions, and not the credentials of the administrator connecting.
Hi Aaran,
There are no granular permissions in VDM Admin in VDM 2.0, in fact the user account used to set up communication with VC is used for all actions, and not the credentials of the administrator connecting.
Got it! Thank you very much for the reply! Is there anybody I could talk to about a feature request for a future version? Having a "service desk" admin who can handle the sessions but not modify the machines and pools would be a very valuable enhancement. Thank you again!
Aaron Delp
Just in case anyone important from VMware is reading this, I would also be looking for this functionality in the next release of VDM! The need to allow the 1st line support people access to a read-only version of the VDM Administration website would be really good.
Thanks,
Sam