VMware Cloud Community
jwurfel
Contributor
Contributor
‎07-29-2009 02:41 AM

Virtual center roles/rights/permissions. What does "Datastore" -> "File Level Management" right do?

Hi VMTN

We have special AD license monitoring user, that only needs "read" access to log files on VMFS datastores. We run VC 2.5 and ESX 3.5 U3.

The question is how to do that.

In Virtual Center -> under Administration -> have we have created a new custom role -> given the role given the privilige - "Browse datastore" -> and - "File Management". (But NOT the - "Remove file" privilige)

Then in Virtual Center -> Under Inventory -> Permissions on Hosts and Clusters -> given the AD user the custom role just created (with propagate)

We then login into Virtual Center again, with the specific AD license monitoring user and then browse to a datqastore to see what rights we have been given. Sadly do we have rights to Create folders, cut + copy + move files and also to delete files.

Why is that? My guess would be that "Datastore" -> "File Level Management" right would only have simple rights like read + copy rights.

0 Kudos
6 Replies
AntonVZhbankov
Immortal
Immortal
‎07-29-2009 02:46 AM

Unfortunately ESX 3.5 and VC 2.5 do not support granular privileges for datastores. You have to upgrade to vSphere or give this user full rights on datastores.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
0 Kudos
jwurfel
Contributor
Contributor
‎07-29-2009 04:04 AM

Hi

Tried doing the same test on our vSphere 4.0 cluster that we run in Chennai, India. Sadly are the same problem here.

Now the Privilige are called: "Low level file operations", but it gives the user given that role the right to DELETE files.

That is strange.

Any other ideas?

Preview file
3 KB
0 Kudos
AntonVZhbankov
Immortal
Immortal
‎07-29-2009 04:25 AM

Yes, unfortunately you can't give user right only to read files.

So, you have to give some user rights for low level operations, and run service under this user account to copy log files to centralized storage. This is the only way I think.


---

VMware vExpert '2009

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda
0 Kudos
hicksj
Virtuoso
Virtuoso
‎07-29-2009 07:35 AM

One possibility might be to write a little web interface for these users. The script scans the folders for the log files they may need and presents the list of available files to them. Clicking the file hyperlink would then execute another function in the script that packages/delivers the log file.

That way the monitoring user doesn't interact directly with the virtual infrastructure and is presented with only what they need.

0 Kudos
Texiwill
Leadership
Leadership
‎07-30-2009 04:04 PM

Hello,

Roles and Permissions are just not granular enough. You can either use a script as hicksj has suggested or look into using the Hytrust Appliance. Hytrust imposes MUCH more granular permissions.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
echiu
Contributor
Contributor
‎01-05-2010 10:48 PM

Fixing HyTrust search in VMware communities.

0 Kudos