Thanks in advance for any assistance!
I'm trying to delegate permissions to a single VM to allow an application administrator vCenter and VM access. When I set the user up as a Virtual Machine Administrator to the VM only, the user cannot see the VM in the VIC client (they cannot see the cluster or resource pool the VM is a member of either). The only way I can get this to work is to give them read permissions to the container above the VM, in this case a resource pool. Obviously they only have read access to all the other VMs in that resource pool but I would prefer if they could only see the VM they have permissions to. Am I missing something or is this not possible?
I've never assign permissions the granular before and I guess I just assumed, based on my research, vCenter used an access base enumeration algorithm but my assumption is probably wrong (they usually are).
can you create a folder under the virtual machines & templates view, drag the VM in question into that folder and give permissions on that folder?
Do you only want them to see the one VM only?
Delegate or Assign? To assign the permission, you assign the permission ONLY on the object you desire. You do NOT assign lesser permissions above that object. It sounds like you have denied this user access to items above the VM and trying to assign greater perms to the VM itself. This does not work. The 'least' permissions win.
So you have the following:
DC .... Cluster ......... Resource Pool ..............VM <= ASSIGN PERM HERE
In general do not assign perms anywhere else. Ideally you would ONLY assign the perms ona VM under the VIrtual Machine and Templates View NOT the Host and CLusters VIew
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]
This is patently wrong. If you only assign permission to the object that you are wanting to grant access, the result will be that when the user logs into vCenter Web Access, they will not see any inventory.