Hi VMTN
We have special AD license monitoring user, that only needs "read" access to log files on VMFS datastores. We run VC 2.5 and ESX 3.5 U3.
The question is how to do that.
In Virtual Center -> under Administration -> have we have created a new custom role -> given the role given the privilige - "Browse datastore" -> and - "File Management". (But NOT the - "Remove file" privilige)
Then in Virtual Center -> Under Inventory -> Permissions on Hosts and Clusters -> given the AD user the custom role just created (with propagate)
We then login into Virtual Center again, with the specific AD license monitoring user and then browse to a datqastore to see what rights we have been given. Sadly do we have rights to Create folders, cut + copy + move files and also to delete files.
Why is that? My guess would be that "Datastore" -> "File Level Management" right would only have simple rights like read + copy rights.
Unfortunately ESX 3.5 and VC 2.5 do not support granular privileges for datastores. You have to upgrade to vSphere or give this user full rights on datastores.
---
VMware vExpert '2009
Yes, unfortunately you can't give user right only to read files.
So, you have to give some user rights for low level operations, and run service under this user account to copy log files to centralized storage. This is the only way I think.
---
VMware vExpert '2009
One possibility might be to write a little web interface for these users. The script scans the folders for the log files they may need and presents the list of available files to them. Clicking the file hyperlink would then execute another function in the script that packages/delivers the log file.
That way the monitoring user doesn't interact directly with the virtual infrastructure and is presented with only what they need.
Hello,
Roles and Permissions are just not granular enough. You can either use a script as hicksj has suggested or look into using the Hytrust Appliance. Hytrust imposes MUCH more granular permissions.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]
Fixing HyTrust search in VMware communities.